The "WordPress" User Problem (WAS: RE: Specifying identifier recycling)

Recordon, David drecordon at verisign.com
Tue Jun 5 21:55:17 UTC 2007


I thought the fragment was to be secret so that for the case of using a
personal domain you don't have to own joshhoyt.com forever.  Rather as
long as your fragments are secret, someone else can buy joshhoyt.com and
not be you.  If this is no longer a requirement then it certainly
changes the game, though also doesn't solve one of the other aspects of
identifier recycling.

--David 

-----Original Message-----
From: joshhoyt at gmail.com [mailto:joshhoyt at gmail.com] On Behalf Of Josh
Hoyt
Sent: Tuesday, June 05, 2007 11:58 AM
To: Johnny Bufu
Cc: Recordon, David; Johannes Ernst; OpenID specs list
Subject: Re: The "WordPress" User Problem (WAS: RE: Specifying
identifier recycling)

On 6/5/07, Johnny Bufu <johnny at sxip.com> wrote:
> > The fragment is not secret. It is not "protecting" your OpenID. You 
> > should be able to get the fragment from any relying party that you 
> > visited.
>
> I believe David's point is that you cannot retrieve the fragment from 
> the RP if you have lost it and are no longer able to log into any RPs.

> (Unless there's an account recovery mechanism either on the RP or the 
> OP.) The RPs know it, but are not supposed to display / disclose it.

The relying parties SHOULD make the fragment available to software
agents, at least, so that it's possible to compare identifiers across
sites. If the fragment is never available, then there is confusion about
which user of an identifier is responsible for content that has been
posted. One use case where software agents having access to the fragment
is particularly important is if the identifier is used for access
control, and the access control list is retrieved from off-site (e.g.
from a social networking site).

The implementation that seems most sane is for places that display the
identifier for human reading look like:

 <a
href="http://josh.example.com/#this-is-intended-for-machine-consumption"
  >http://josh.example.com/</a>

so that the software agent would see the fragment, but the user wouldn't
have to.

Using this approach, the fragment is trivially available anywhere you
signed in.

There is also no reason that a relying party should hide the fragment if
a user asks for it. Since it is not sensitive information, it does not
require "account recovery."

Josh



More information about the specs mailing list