On 03/08/2013 01:34 AM, Petr Bena wrote:
this shouldn't be very
dangerous
Even if it isn't in practice in the typical cases, it exposes a third
party to a risk they are unable to assess if they use that OpenID. (And
it doesn't require a 'crat going rogue even here -- renames are
sometimes done without salting the former username and an unrelated
third party could create an account to reuse the username and then probe
plausible consumers of the ID).
-- Marc