On 5-Jun-07, at 11:12 AM, Josh Hoyt wrote:

> On 6/5/07, Recordon, David <[EMAIL PROTECTED]> wrote:
>> Imagine if I install WordPress (or insert other app here) on
>> https://davidrecordon.com and check the "Use fragments to protect my
>> OpenID" box.  A few months later I decide to remove WordPress, or an
>> upgrade blows away my OpenID extension data, or I'm using an  
>> extension
>> which stores the fragments in /tmp/ and they get blown away.  I  
>> now no
>> longer have access to my accounts on all the relying parties I've
>> visited.  Now what do I do?
> The fragment is not secret. It is not "protecting" your OpenID. You
> should be able to get the fragment from any relying party that you
> visited.

I believe David's point is that you cannot retrieve the fragment from  
the RP if you have lost it and are no longer able to log into any  
RPs. (Unless there's an account recovery mechanism either on the RP  
or the OP.) The RPs know it, but are not supposed to display /  
disclose it.

> You might choose to use a fragment if you have acquired a
> recycled identifier, but you can choose the fragment. It protects
> *nothing* if you control the base identifier (to the point that you
> can choose an OpenID provider).

Agreed - if you loose control over the URL, you can no longer use  
your old online identity.

However, the issue / feature this does address is "protect your RP  
accounts if you loose your identity". (The new owner of  
davidrecordon.com would not be able to sign into the old  
davidrecordon.com's digg account.)


specs mailing list

Reply via email to