Forbid OpenID recycling

[pseudomonas]

Title:
Forbid OpenID recycling

Area:
OpenID

Summary:
DW is an OpenID provider. OpenID is becoming more widely used by a variety of types of site. When a journal name is deletd, purged, and re-sold, the associated OpenID is (AIUI) also re-sold. This presents privacy concerns.

Description:
I use my OpenID as an identity on sites X,Y, and Z (which I may forget about subsequently, the Internet and my memory being what they are). I delete my DW account, and you buy the username. You then find out that site X thinks you're me (not allowing you to change "immutable" details such as date of birth) and site Y has banned the username for abuse. Site Z has personal information about me in that you now have access to and which I cannot revoke. My friend has given the OpenID read-access to her journal on a remote site - you can now read her locked entries.

Disadvantages: forbidding this means either no sale of reconditioned usernames, or those usernames being sold with their OpenID features disabled.

Alternatives: tell people deleting their journal in big letters that they should attempt to remember all the places they entered their OpenID and go around removing private details and/or deleting accounts on the remote sites and/or telling their contacts to revoke their privileges. I don't think this is often terribly feasible - one of the joys of OpenID is that it makes it easy to sign in and do stuff in lots of places without keeping track of lots of usernames.
Even for people who've never knowingly used OpenID at all, they may have read privileges such as those granted by DW's import tool.

I'd really rather there was a technical solution whereby this wasn't a problem. I'm not an OpenID expert; hopefully someone else in the community is!

Poll #1286 Forbid OpenID recycling

Open to: Registered Users, detailed results viewable to: All, participants: 31

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
11 (35.5%)

Should be implemented with changes. (please comment)
5 (16.1%)

Shouldn't be implemented.
7 (22.6%)

(I have no opinion)
7 (22.6%)

(Other: please comment)
1 (3.2%)

Comments

[cheyinka]

Would it be possible for the OpenID that Dreamwidth generates to be marked as a rename, somehow?

I have no idea how this would work - maybe having it display as cheyinka.dreamwidth.org#2, or something? Of course then there'd be people copying and pasting that into their browsers and getting nothing, so maybe that won't work.

[pseudomonas]

If OpenID consumers (the remote sites verifying) always cached the canonicalised ID then I think one could make it discover to something else - (like [I think] LJ openIDs resolve username.site.com to site.com/users/username) it could go to site.com/users/2/username - except I don't *think* the OpenID consumers have to cache the canonicalised version when first supplied. It'd cause other problems with portability and things, I suspect.

[aveleh]

What about having a page like http://www.dreamwidth.org/openid/options.bml that saves a list of all places that you've logged in, instead of only the ones that are currently "active"? (I like the idea of also displaying it on the options.bml page so that users know to expect it.) Then when a user wants to delete, send them to that page and explicitly say "you will no longer be able to access the following" and "if your username is re-registered", etc, etc.

[pseudomonas]

I personally have given access to many OpenIDs who have quite possibly never logged in.

[aveleh]

Do you mean that you've given access to your journal for people who use OpenIDs? If you give access to an OpenID user who then gets their username recycled off-Dreamwidth, there's nothing that can be done on this side. I didn't think that's what your original suggestion was about.

What I was proposing, is that if I, for example, went to delete my account, I'd be brought to a page that says "hey, don't forget, you use this account to login to the dreamwidth wiki! So if you delete your account, you won't be able to log in to that wiki. And if someone else re-registers your name, then they'll be able to log in to that wiki and pull up all your information!"

Dreamwidth has that information right now - I can see the wiki listed on http://www.dreamwidth.org/openid/options.bml. However, if I delete it from that page, then I don't have a list of which sites I *have* used. My original comment is saying that a list of *all* the sites that I've ever used my openID (and therefore passed a login through Dreamwidth) should be stored, and then it should be listed when a user wants to delete their account.

Then, if someone doesn't want their OpenID to become available to someone else, they'll just have to not delete their DW account.

[thorfinn]

+1

DW Remembering where you've logged in using your OpenID and giving you a page to look at is the right thing to do.

Is there a separate suggestion for that?

[cesy]

This makes sense. Adding a list to that page of sites where you clicked "Verify just this time" as well as the list of "Verify always" would make it much easier to go and find them and deal with them.

[pseudomonas]

How do you deal with it if the site on the list is, say, google.com?

[cesy]

I don't know - I don't remember ever having used my OpenID there. I doubt this would solve the problem completely, but it would be a significant step in the right direction, useful even in other situations and would be uncontroversial, so I figure it should be done in the meantime while we figure out the rest of the problem.

[susanreads]

I've put "No opinion" because there's a problem that needs to be solved but I'm not convinced this is a feasible solution. I didn't know that page existed, and I just looked and there's nothing on it, because when I use OpenID, it's to comment on various other sites and I use "just this time".

[kaigou]

does this issue -- of caching -- apply if you've always selected the "just this time" option, always, for everything? does anyone know?

[susanreads]

Oops - by "this" I meant the OP. Adding "just this time" verifications to that page would help, but if it says LJ, IJ, Google, etc. it won't show the actual journals and blogs I've used it at.

[queenbarwench]

+1

[cesy]

I think LJ would still have a record of that, though, because DW would at some stage have to verify the username. So if someone imported entries with your comments to another DW-code site, I think it should still have a record on DW, even if you personally hadn't ever logged in on DW-clone.

[pseudomonas]

This is an improvement, but naming a large site like LJ or Blogspot or any DW-codebase site in future (which is what you get) isn't the same as tracking down the people who have to revoke your access.

If people on fifteen other DW-alikes have granted me access, they might well not all be checking my site on a regular basis to see if I'm still active.

And this still doesn't deal with someone buying a purged account in good faith and then finding out their ID has been blocked from major sites due to abuse.

[cesy]

And this still doesn't deal with someone buying a purged account in good faith and then finding out their ID has been blocked from major sites due to abuse.

Could we just add a warning with a link to a FAQ for now, though I know that doesn't solve it long-term?

[pseudomonas]

I thought that DW isn't actually selling purged usernames just yet anyway, but plans to; correct me if I'm wrong on this.

[cesy]

No, that's right - they haven't done any purges yet, as far as I know.

[yvi]

Neither do we have renames yet :)

[rebelsheart]

I understand the concerns, but that's a huge feature to disable on a rename. I'd like to see more options on how to approach this

[cesy]

Until a better solution is found, a FAQ and a big warning on deletion sound sensible.

[charmian]

Eh... Isn't the point of openID that it's not supposed to be authentication, but identity? In other words, if it IS the person who is the owner of the site, then they have a right to that openID.

I think it would be better to educate people on this fact before they delete their journals/before they rename their journal to a previously used username.

[cheyinka]

I think you're right, and I hadn't thought about that. If cheyinka.deadjournal.com just means that right now I have legitimate access to cheyinka, then if someone renames their DeadJournal to "cheyinka", now they legitimately are cheyinka.deadjournal.com, everywhere they want to go and everywhere I've been. Hmmm.

[charmian]

Yeah, it's supposed to prove that you're legitimately the owner of that site, IIRC. I suppose there could be a workaround with userID numbers (which IIRC are different even if the name is the same?), but I have no idea how it would work.

Anyway, like it says above, I think most of the problem could be averted with better education.

[cheyinka]

The workaround with userid numbers seems better than my attempt at just sequentially numbering the use of usernames, but userid numbers can be pretty long, so displaying them wouldn't do it, and I don't think there's really a way to check, at least not as OpenID is implemented now.

On the other hand, there's the case of the person who used to have whatever account name, and has now lost access to everything that granted access to whateveraccountname.dreamwidth.org, and that'll only be fixable with education.

[charmian]

Yeah, I have no idea how OpenID really works, but it doesn't seem like that would be possible.

I think a warning message on the deletion screen is a better idea.

[msilverstar]

I like that too. It may be an OpenID problem, but if DW can pioneer a good solution, the better for everyone.

[turlough]

Yeah, what I think too.

[adalger]

I've voted against because what you've noted is a design flaw in the OpenID system itself. It isn't Dreamwidth's job to fix that deficiency. As others have said, education is the answer.