>Josh Hoyt wrote:
>The fragment is not secret. It is not "protecting" your OpenID. You
>should be able to get the fragment from any relying party that you
>visited. You might choose to use a fragment if you have acquired a
>recycled identifier, but you can choose the fragment. It protects
>*nothing* if you control the base identifier (to the point that you
>can choose an OpenID provider).

Isn't this a core flaw with the fragment approach? That if you lose control
of the base identifier, you lose control of any fragment?

Wouldn't it be fairly easy -- precisely because the fragment is not secret
-- for the party that takes over the base identifer to discover the
fragment(s) that have been used earlier, and thus for the new owner to then
be able to spoof any fragment that has been issued?

I supposed this doesn't apply to large sites, where all identifiers are
managed "in trust" for users and they can enforce non-access to previous
fragments. But for personal URLs it doesn't appear to work at all. Am I
missing anything?


specs mailing list

Reply via email to