The "WordPress" User Problem (WAS: RE: Specifying identifier recycling)

Johnny Bufu johnny at sxip.com
Tue Jun 5 22:17:34 UTC 2007


On 5-Jun-07, at 11:58 AM, Josh Hoyt wrote:
> The relying parties SHOULD make the fragment available to software
> agents, at least, so that it's possible to compare identifiers across
> sites. If the fragment is never available, then there is confusion
> about which user of an identifier is responsible for content that has
> been posted. One use case where software agents having access to the
> fragment is particularly important is if the identifier is used for
> access control, and the access control list is retrieved from off-site
> (e.g. from a social networking site).
>
> The implementation that seems most sane is for places that display the
> identifier for human reading look like:
>
> <a href="http://josh.example.com/#this-is-intended-for-machine- 
> consumption"
>  >http://josh.example.com/</a>
>
> so that the software agent would see the fragment, but the user
> wouldn't have to.

On 5-Jun-07, at 2:55 PM, Recordon, David wrote:

> I thought the fragment was to be secret so that for the case of  
> using a
> personal domain you don't have to own joshhoyt.com forever.  Rather as
> long as your fragments are secret, someone else can buy  
> joshhoyt.com and
> not be you.  If this is no longer a requirement then it certainly
> changes the game, though also doesn't solve one of the other  
> aspects of
> identifier recycling.

I thought so too, but I believe Josh is right - the "lost domain"  
cell with an X in it (for URL + public fragment) supports Josh's  
statement:
http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling

So if we're not dealing with this use case, it becomes actually  
simpler to address just the identifier recycling for big OPs, where  
loosing the domain is not an issue.


Johnny




More information about the specs mailing list