It’s just data

OpenId Minus Id Equals Wide Open

Martin Atkins: Yahoo!'s OP and now it seems Microsoft’s OP both ignore the value of openid.identity provided to them, and just return an assertion for whatever user’s logged in.

I may ultimately need to black-list such ids.

Looking at instructions:

At any Web site that supports OpenID 2.0, type in the OpenID login box to sign in to that site by means of your Windows Live ID OpenID alias.

If everybody uses the same URI, I can’t tell them apart.  That doesn’t concern me much, but do find it a bit distressing that that’s the recommended usage.

What concerns me is that people may use such a URI for delegation.  If Jorgen, for example, were to add such a generic URI as his openid.delegate link, then anybody who has a windows live id could authenticate using his blog URI.
What concerns me more is if somebody follows these instructions for delegation.  Then anybody with a Windows Live id could authenticate using his blog.

I note that Jorgen left a comment on Martin’s blog using  As long as that URI is uniquely his, and can’t be used by anybody else, that’s fine.