Dealing with renames

Kristopher Tate kris at
Mon May 30 12:14:19 PDT 2005

On 2005/05/30, at 11:09 AM, Ben Hyde wrote:

> [snip]
> That is bogus.
> The fix is easy, but it requires adding something to the assertion.
> Have Victor add something that changes when the owner changes.

On 2005/05/29, at 2:36 PM, Kristopher Tate wrote:
> [...] For OpenID, perhaps the server should create a sha1 hash of a  
> unique id + fqdn, and then give it to the consumer for verification.

This is really simple, folks. On any SQL setup, you're bound to save  
each record-set with an ID, right?

So, couple that with the fully qualified domain name  
(example.[com|net|org]) add it to the assertion, and return it just the  
same with all the other arguments.

Consumers now reference the hash, instead of the ID-URL. Remember, the  
ID-URL is for the user.

The plus side to this is that there really is no restriction on the  
Server's DB setup. As long as the Server can generate a unique ID, the  
process in doing that doesn't matter -- just the hash does.

Here's an example of how this would work:

On our user framework, everyone has Unique ID. This ID is nothing more  
than an integer.

When a user calls to our auth server from an OpenID form, it does its  
magic. Upon success, it would return the following assertion:

> BASE64(DSA(SHA1("[timestamp]::assert_identity::[assert_identity]:: 
> [return_to]::[SHA1(unique_id + '::' + server_fqdn)]")))

In my case, the sha1 hash would look like: sha1("") or  

Then, the server would return an argument back to the consumer with  
something like:

> openid.uid=a2cc6e3fb57c315563916078ad615bcdced4d106

The consumer would store that, and reference it for later use. If  
sometime in the future, the user deletes their account, and someone  
else obtains the same username, the ID would change and the consumer  
would simply discard all of the other information held under the  
previous openid.uid for the asserted ID-URL.

This way, we truly know that this is the one and only user, for as long  
as that user also has the same openid.uid hash.

Honestly, I don't think this is such a hard thing to implement -- heh,  
but I will say that getting DSS1 to work on PHP was. :-)

More anon,

-Kristopher Tate

More information about the yadis mailing list