So, while I still retain possession of my URI (before I give it up), I "log in" with my old URI to a universal OpenID revocation list. Then I go ahead and give up control of that Identifier. End of story for the end user.
I like it . . . sounds simple enough for the end user to understand (whereas I would shudder trying to give them an accurate idea of how PKI works!), doesn't ask too much of them. It can probably be represented with a direct analogy to E-mail addresses.
Perhaps OpenID v.next can include a provision that requires RPs to check some <http://openid.net/revocationlist>openid.net/revocationlist URI periodically to download a list of URIs to never allow login for.
That sounds more like a blacklist than revocation list. Or are you suggesting that OP's assign a generation fragment to *every* URI simply to account for the possibility that, at some future time, any/all of these URI's *might* change hands?
And yes, OpenID is supposed to be decentralized. I haven't figured that one out yet.Thoughts?
Use a P2P structure where any OP in the community can use CRL's signed by others?
But here's a new headache: with the CRL possible merely by "the user logging in", there's no longer the freedom to simply switch to another OP if you don't like the one you have - a malicious OP could permanently terminate your Identity!
If you still had control of the URI this would be more of a reset than a termination, but I think that adding to the CRL should be determined by the same weak point that we already have: an ability to add headers to the URL of your Identity page. Whoever demonstrates ownership of that page has the power to specify an OP, so if they've got that then they're already holding the keys to your kingdom anyway.
-Shade
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
