thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
thorfinn ([personal profile] thorfinn) wrote2010-07-21 12:49 pm
  • Add Memory
  • Share This Entry
Entry tags:

LJ - Purging Accounts = Even More Broken OpenID

Hello, especially to anyone reading me who is on LiveJournal. LJ have recently started purging accounts that are idle inactive/suspended (Edited for accuracy).

This means that those account names can be claimed by people other than the original owner. (ETA: This has already been the case since 2005 with deleted accounts and renames, apparently, but I failed to notice that.)

Unfortunately, this fundamentally breaks the trust relationship of OpenID - which is based around the URL of the logging in site. Essentially, I cannot trust that the OpenID user http://thorfinn.livejournal.com/ will remain to be the original user, without continuously checking that that is so. I can't do that for more than a few users, so essentially, my only effective solution is to be unable to trust any OpenID from livejournal.com.

So, becauseĀ I cannot trust OpenIDs from livejournal.com, I cannot allow those OpenIDs to access my DW content. This means if you are on LJ, you will be unable to see my locked posts on DW, even if you log in using OpenID.

Most of you will get to read the post anyway, because I will keep cross-posting to LJ, but as I will not be allowing comments on LJ, there will be no commenting.

In short, I'm sorry for the inconvenience, but due to the lack of security of LJ OpenID introduced made even worse by this new policy, I can't allow LJ OpenIDs access to Dreamwidth directly.

If you wish to discuss anything in my locked posts, then come to Dreamwidth. For further references, see:

Flat | Top-Level Comments Only
vatine: Generated with some CL code and a hand-designed blackletter font (Default)

[personal profile] vatine 2010-07-21 01:48 pm (UTC)(link)
Back in the dark mists of time, LJ had an explicit policy of never allowing name re-use, but I can't say I've checked how that's evolved over the years.
lnr: Halloween 2023 (Default)

[personal profile] lnr 2010-07-21 02:36 pm (UTC)(link)
I seem to remember it being possible years back, but can't quantify that exactly.

The page which lists newly available (ie deleted and purged) account names has existed since at least mid-2007:

http://web.archive.org/web/*/http://www.livejournal.com/misc/expunged_list.bml

It looks like it wasn't possible to reuse a username in December 2004:

http://web.archive.org/web/20041216132254/http://www.livejournal.com/support/faqbrowse.bml?faqid=127

But has been possible since at least March 2006:

http://web.archive.org/web/20060318105519/http://www.livejournal.com/support/faqbrowse.bml?faqid=127
vatine: Generated with some CL code and a hand-designed blackletter font (Default)

[personal profile] vatine 2010-07-21 02:40 pm (UTC)(link)
I probably checked around September-October 2003 (based on when I did my first LJ post) and haven't paid much attention since.
pauamma: Cartooney crab wearing hot pink and acid green facemask holding drink with straw (Default)

[personal profile] pauamma 2010-07-21 05:06 pm (UTC)(link)
Renaming (for a fee) to the username of a deleted and purged account was already available in 2005 (on LJ).
Flat | Top-Level Comments Only