On 6/5/07, Recordon, David <[EMAIL PROTECTED]> wrote: > Imagine if I install WordPress (or insert other app here) on > https://davidrecordon.com and check the "Use fragments to protect my > OpenID" box. A few months later I decide to remove WordPress, or an > upgrade blows away my OpenID extension data, or I'm using an extension > which stores the fragments in /tmp/ and they get blown away. I now no > longer have access to my accounts on all the relying parties I've > visited. Now what do I do?
The fragment is not secret. It is not "protecting" your OpenID. You should be able to get the fragment from any relying party that you visited. You might choose to use a fragment if you have acquired a recycled identifier, but you can choose the fragment. It protects *nothing* if you control the base identifier (to the point that you can choose an OpenID provider). I'm not arguing for or against a particular approach here, but I think your argument is flawed. Josh _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs