On 03/08/2013 01:34 AM, Petr Bena wrote:
this shouldn't be very dangerous
Even if it isn't in practice in the typical cases, it exposes a third party to a risk they are unable to assess if they use that OpenID. (And it doesn't require a 'crat going rogue even here -- renames are sometimes done without salting the former username and an unrelated third party could create an account to reuse the username and then probe plausible consumers of the ID).
-- Marc