Are OpenID Identity URLs considered sensitive information? For example, is it safe to store plain text OpenID Identity URLs in a DB or whatnot?
I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes!
Are OpenID Identity URLs considered sensitive information? For example, is it safe to store plain text OpenID Identity URLs in a DB or whatnot?
I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes!
The OpenID is, basically, the User Name portion of a login. You don't need to treat it with any more security that you would any other UserID.
In my opinion, it should be considered secret. It's safe to store in DB's as plain text, but I wouldn't go around displaying people's OpenID's for anyone to view. There are numerous reasons, some being:
It's not critical that it remains private, however, hence the extra effort to hash (and salt/etc) it is not really neccessary. It just creates another place to maintain a bit of complexity, and an area that could go wrong. That said, if I saw it done, I wouldn't really be upset about it.
Certainly, I think it is wrong to consider an OpenID as a public bit of information.