On 6/5/07, Johnny Bufu <[EMAIL PROTECTED]> wrote:
> > The fragment is not secret. It is not "protecting" your OpenID. You
> > should be able to get the fragment from any relying party that you
> > visited.
> I believe David's point is that you cannot retrieve the fragment from
> the RP if you have lost it and are no longer able to log into any
> RPs. (Unless there's an account recovery mechanism either on the RP
> or the OP.) The RPs know it, but are not supposed to display /
> disclose it.

The relying parties SHOULD make the fragment available to software
agents, at least, so that it's possible to compare identifiers across
sites. If the fragment is never available, then there is confusion
about which user of an identifier is responsible for content that has
been posted. One use case where software agents having access to the
fragment is particularly important is if the identifier is used for
access control, and the access control list is retrieved from off-site
(e.g. from a social networking site).

The implementation that seems most sane is for places that display the
identifier for human reading look like:

 <a href="http://josh.example.com/#this-is-intended-for-machine-consumption";

so that the software agent would see the fragment, but the user
wouldn't have to.

Using this approach, the fragment is trivially available anywhere you signed in.

There is also no reason that a relying party should hide the fragment
if a user asks for it. Since it is not sensitive information, it does
not require "account recovery."

specs mailing list

Reply via email to