intertwingly

Martin Atkins: Yahoo!'s OP and now it seems Microsoft’s OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user’s logged in.

I may ultimately need to black-list such ids.

Looking at live.com instructions:

At any Web site that supports OpenID 2.0, type openid.live-INT.com in the OpenID login box to sign in to that site by means of your Windows Live ID OpenID alias.

If everybody uses the same URI, I can’t tell them apart.  That doesn’t concern me much, but do find it a bit distressing that that’s the recommended usage.

What concerns me is that people may use such a URI for delegation.  If Jorgen, for example, were to add such a generic URI as his openid.delegate link, then anybody who has a windows live id could authenticate using his blog URI.
What concerns me more is if somebody follows these instructions for delegation.  Then anybody with a Windows Live id could authenticate using his blog.

I note that Jorgen left a comment on Martin’s blog using http://openid.live-int.com/jt.  As long as that URI is uniquely his, and can’t be used by anybody else, that’s fine.