Questions about IIW Identifier Recycling Table

Johnny Bufu johnny at sxip.com
Thu Jun 7 17:51:33 UTC 2007 

Hi David,

The idea was to list as columns the things potentially affected by  
this change and important enough that we cared. In the end we chose  
'URL + public fragment' as the one with the most check marks.

See below my comments; maybe others can correct / fill in the gaps.

On 5-Jun-07, at 1:36 PM, David Fuelling wrote:

> I wasn't at IIW, so please bear with me.
>
> In reference to the wiki at
> http://openid.net/wiki/index.php/IIW2007a/Identifier_Recycling, can  
> somebody
> clarify what some of the terminology means?  Specific questions are  
> below.
>
> 1.) For URL+Fragment, what is the distinction between "private" and
> "public"?
>
> 2.) Ditto For URL+Token (I assume this means a public vs. private  
> token?)

Public: the RP presents the full identifier (fragment included) to  
third parties.

Private: the reverse of the above. Not sure if this also covered the  
case (mentioned the day before the meeting) of the OP generating  
custom fragments for each RP.

> 3.) What does "DE" mean in the "Does not require change to DE"?

Delegation. Corrected the wiki.

> 4.) In the "Stolen OP account" header, it appears that all 4 of the  
> proposed
> methods have problems.  However do we really want an identifier to be
> recycled if an account is stolen ( i.e., what if an account is only  
> stolen
> for a brief period, but then recovered?)

Rather, neither of the for proposed methods help you if your OP  
account is stolen, so this column doesn't make a difference.


> 4.) What is "Active Recycling"?

Not 100% here, but I believe the user / OP can choose when to recycle  
an identifier.


> 5.) In the "New DB Field" header, doesn't an OP/RP need a new DB  
> field in
> the fragment scheme, in order to distinguish between the id and the  
> current
> fragment?  Or does the OP/RP simply store the whole URL (fragment  
> included)
> and parse as necessary?

Corrected this one to "One identifier / New DB field" as it shows in  
my picture.

The RP can dynamically strip the fragment when it needs to display  
the identifier, and keep it in full (including the fragment) for the  
rest of the cases.

> 6a.) What is "MO" in "MO Strip Fragment"?
>
> 6b.) What does the "MO Strip Fragment" header mean in general?

"No strip fragment" == "there is no extra work required for stripping  
the fragment". This is kind of a mirror of the previous column ("one  
identifier"), but dynamically stripping the fragment was considered  
better than requiring a new DB field for the tokens (so this mirrored  
column pair was regarded slightly in favor of fragments vs tokens).


The "lost domain" shows as "lost domain when owning OP" in my  
picture. This was considered less important (and smaller in size on  
the whiteboard). I also don't remember why private fragments/tokens  
don't help here, or why the public token does.


Johnny

More information about the specs mailing list