>Especially for sites such as Blogger, where the URIs may or may not >have been actually used as OpenIDs,
Here's my concern: what about sites such as ISP's that aren't providing mass content publication as a service, but merely happen to include "100MB web page at www.oursite.com/~yourusername!"? The host then might not even be *aware* of OpenID, but if they don't force users to limit themselves to working through pre-existing templates, a web-savvy user could simply upload a new version of one of their pages, to include OpenID headers, and gain their own Identity. And if that host isn't OpenID-aware, it won't have any reason to provide generation fragments. The only question then is whether the ISP's policy (if any) on letting new accounts be created with the same username as a terminated account permits such things within a shorter time frame than the "OP/RP best practices" list suggests. It's not safe to rely on an OP to provide generation fragments for this, since an Identify thief could just specify another OP in the headers (or run their own). For the same reason this can't be prevented by having an OP refuse to reset passwords (or other authentication measures) - the OP can be certain the user isn't the same one as was at that URI previously, but that won't matter if the Identity thief puts that OP out of the picture before going to the RP. -Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
