The "WordPress" User Problem (WAS: RE: Specifying identifier recycling)
Johnny Bufu
johnny at sxip.com
Tue Jun 5 18:39:50 UTC 2007
On 5-Jun-07, at 11:12 AM, Josh Hoyt wrote:
> On 6/5/07, Recordon, David <drecordon at verisign.com> wrote:
>> Imagine if I install WordPress (or insert other app here) on
>> https://davidrecordon.com and check the "Use fragments to protect my
>> OpenID" box. A few months later I decide to remove WordPress, or an
>> upgrade blows away my OpenID extension data, or I'm using an
>> extension
>> which stores the fragments in /tmp/ and they get blown away. I
>> now no
>> longer have access to my accounts on all the relying parties I've
>> visited. Now what do I do?
>
> The fragment is not secret. It is not "protecting" your OpenID. You
> should be able to get the fragment from any relying party that you
> visited.
I believe David's point is that you cannot retrieve the fragment from
the RP if you have lost it and are no longer able to log into any
RPs. (Unless there's an account recovery mechanism either on the RP
or the OP.) The RPs know it, but are not supposed to display /
disclose it.
> You might choose to use a fragment if you have acquired a
> recycled identifier, but you can choose the fragment. It protects
> *nothing* if you control the base identifier (to the point that you
> can choose an OpenID provider).
Agreed - if you loose control over the URL, you can no longer use
your old online identity.
However, the issue / feature this does address is "protect your RP
accounts if you loose your identity". (The new owner of
davidrecordon.com would not be able to sign into the old
davidrecordon.com's digg account.)
Johnny
More information about the specs
mailing list