On 5-Jun-07, at 11:12 AM, Josh Hoyt wrote: > On 6/5/07, Recordon, David <[EMAIL PROTECTED]> wrote: >> Imagine if I install WordPress (or insert other app here) on >> https://davidrecordon.com and check the "Use fragments to protect my >> OpenID" box. A few months later I decide to remove WordPress, or an >> upgrade blows away my OpenID extension data, or I'm using an >> extension >> which stores the fragments in /tmp/ and they get blown away. I >> now no >> longer have access to my accounts on all the relying parties I've >> visited. Now what do I do? > > The fragment is not secret. It is not "protecting" your OpenID. You > should be able to get the fragment from any relying party that you > visited.
I believe David's point is that you cannot retrieve the fragment from the RP if you have lost it and are no longer able to log into any RPs. (Unless there's an account recovery mechanism either on the RP or the OP.) The RPs know it, but are not supposed to display / disclose it. > You might choose to use a fragment if you have acquired a > recycled identifier, but you can choose the fragment. It protects > *nothing* if you control the base identifier (to the point that you > can choose an OpenID provider). Agreed - if you loose control over the URL, you can no longer use your old online identity. However, the issue / feature this does address is "protect your RP accounts if you loose your identity". (The new owner of davidrecordon.com would not be able to sign into the old davidrecordon.com's digg account.) Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs