The "WordPress" User Problem (WAS: RE: Specifying identifier recycling)
Josh Hoyt
josh at janrain.com
Tue Jun 5 18:12:10 UTC 2007
On 6/5/07, Recordon, David <drecordon at verisign.com> wrote:
> Imagine if I install WordPress (or insert other app here) on
> https://davidrecordon.com and check the "Use fragments to protect my
> OpenID" box. A few months later I decide to remove WordPress, or an
> upgrade blows away my OpenID extension data, or I'm using an extension
> which stores the fragments in /tmp/ and they get blown away. I now no
> longer have access to my accounts on all the relying parties I've
> visited. Now what do I do?
The fragment is not secret. It is not "protecting" your OpenID. You
should be able to get the fragment from any relying party that you
visited. You might choose to use a fragment if you have acquired a
recycled identifier, but you can choose the fragment. It protects
*nothing* if you control the base identifier (to the point that you
can choose an OpenID provider).
I'm not arguing for or against a particular approach here, but I think
your argument is flawed.
Josh
More information about the specs
mailing list