URL relationship permanence
Dro Kulix
dro at drocore.com
Thu Jun 30 06:06:48 PDT 2005
I can't deny that there's a point, though. The way I see it, a major
purpose of OpenID is to be able to leave comments on other community sites
without becoming a user. My personal site, for example, runs exactly one
journal, and to ask for an OpenID for the ability to leave a comment seems
reasonable, but to ask for a sign-up seems decidedly unreasonable (my
journal isn't _that_ good). So, in cases where only an OpenID (and no
user account) is involved, the spec is perhaps a bit looser than we would
like.
I would venture that getting signatures into the spec fairly soon would be
a good start, but this is an issue that merits more thought.
-- Dro
> This is my understanding of the whole thing, so don't pay too much
> attention
> to it as I might be completely off the mark :).
>
> OpenID doesn't strictly confirm identity; it confirms ownership which is
> something that we tend to identify with identity. In reality at any point
> in
> time whoever owned something yesterday isn't necessarily still the owner
> of
> it today.
>
> The closest analogy I can think of is your mailing address (e-mail address
> works fine too). It is yours and yours alone, but only for as long as you
> still live there. If you moved out and I move in right away, I can take on
> your 'identity' to whomever considers your mailing address to be you.
>
> My point is that the burden of maintaining your 'identity' falls on you.
> If
> Zack's domain gets compromised or he looses his ownership of it then it's
> his responsability to inform all the involved parties of that fact.
> The sites in question would then simply add his old OpenID URL to the list
> of URLs it will not accept as identity, preventing anyone from
> impersonating
> him.
>
> Another approach is mapping an OpenID URL to a local username. In this
> case
> Zack would have both his OpenID URL and a local account at the message
> board. He can use his OpenID URL as his crendentials to post or administer
> (which the site would map to his board username) but if his OpenID URL
> should become compromised he simply logs into the board the
> "old-fashioned"
> way and removes the mapping of his old OpenID URL to his username, once
> again preventing impersonation.
> In this case the local account has a much higher trust factor than a valid
> OpenID assertion so you would restrict things like password changes to
> require a local login.
>
>
>
More information about the yadis
mailing list