Questions about IIW Identifier Recycling Table
Johnny Bufu
johnny at sxip.com
Thu Jun 7 17:51:33 UTC 2007
Hi David,
The idea was to list as columns the things potentially affected by
this change and important enough that we cared. In the end we chose
'URL + public fragment' as the one with the most check marks.
See below my comments; maybe others can correct / fill in the gaps.
On 5-Jun-07, at 1:36 PM, David Fuelling wrote:
> I wasn't at IIW, so please bear with me.
>
> In reference to the wiki at
> http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling, can
> somebody
> clarify what some of the terminology means? Specific questions are
> below.
>
> 1.) For URL+Fragment, what is the distinction between "private" and
> "public"?
>
> 2.) Ditto For URL+Token (I assume this means a public vs. private
> token?)
Public: the RP presents the full identifier (fragment included) to
third parties.
Private: the reverse of the above. Not sure if this also covered the
case (mentioned the day before the meeting) of the OP generating
custom fragments for each RP.
> 3.) What does "DE" mean in the "Does not require change to DE"?
Delegation. Corrected the wiki.
> 4.) In the "Stolen OP account" header, it appears that all 4 of the
> proposed
> methods have problems. However do we really want an identifier to be
> recycled if an account is stolen ( i.e., what if an account is only
> stolen
> for a brief period, but then recovered?)
Rather, neither of the for proposed methods help you if your OP
account is stolen, so this column doesn't make a difference.
> 4.) What is "Active Recycling"?
Not 100% here, but I believe the user / OP can choose when to recycle
an identifier.
> 5.) In the "New DB Field" header, doesn't an OP/RP need a new DB
> field in
> the fragment scheme, in order to distinguish between the id and the
> current
> fragment? Or does the OP/RP simply store the whole URL (fragment
> included)
> and parse as necessary?
Corrected this one to "One identifier / New DB field" as it shows in
my picture.
The RP can dynamically strip the fragment when it needs to display
the identifier, and keep it in full (including the fragment) for the
rest of the cases.
> 6a.) What is "MO" in "MO Strip Fragment"?
>
> 6b.) What does the "MO Strip Fragment" header mean in general?
"No strip fragment" == "there is no extra work required for stripping
the fragment". This is kind of a mirror of the previous column ("one
identifier"), but dynamically stripping the fragment was considered
better than requiring a new DB field for the tokens (so this mirrored
column pair was regarded slightly in favor of fragments vs tokens).
The "lost domain" shows as "lost domain when owning OP" in my
picture. This was considered less important (and smaller in size on
the whiteboard). I also don't remember why private fragments/tokens
don't help here, or why the public token does.
Johnny
More information about the specs
mailing list