No subject
Fri Apr 24 22:39:51 UTC 2009
Identifier Recycling</h3>
<p style=3D"margin-left: 40px;">
OpenID Providers with large user bases can use fragments
to recycle URL Identifiers if it is so desired. When
<b> reassigning </b>a URL Identifier to a <b><i>new </i>end user=
</b>OPs should
generate a new, unique fragment part.
=20
</p>
<p style=3D"margin-left: 40px;">
The full URL with the fragment part constitutes the Claimed
Identifier in positive assertions, therefore Relying Parties
will distinguish between <b>the current and <i>previous </i>own=
ers </b>of
the fragment-less URL.
=20
</p>
<p style=3D"margin-left: 40px;">
This mechanism allows the (presumably short, memorable)
recycled URL Identifiers without the fragment to be used by
end users at login time and by Relying Parties for display
purposes.
=20
</p>This smells hugely of the idea that only one user controls an identifie=
r at a time.<br><br clear=3D"all">--<br>Andrew Arnott<br>"I [may] not =
agree with what you have to say, but I'll defend to the death your righ=
t to say it." - Voltaire<br>
<br><br><div class=3D"gmail_quote">On Wed, May 13, 2009 at 10:27 AM, Nat Sa=
kimura <span dir=3D"ltr"><<a href=3D"mailto:sakimura at gmail.com">sakimura=
@gmail.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=
=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; p=
adding-left: 1ex;">
My interpretation is that the fragment does not necessarily mean a new<br>
user, but it just differentiate among different users.<br>
<font color=3D"#888888"><br>
=3Dnat<br>
</font><div><div></div><div class=3D"h5"><br>
On Thu, May 14, 2009 at 2:15 AM, Andrew Arnott <<a href=3D"mailto:andrew=
arnott at gmail.com">andrewarnott at gmail.com</a>> wrote:<br>
> Fragments are valid URI parts.=A0 But they are unique in that a web br=
owser<br>
> never sends them to the server.=A0 The OpenID 2.0 spec specifically ca=
lls out<br>
> fragments as valid ways that OPs can indicate to RPs that a new user<b=
r>
> controls this identifier.<br>
><br>
> So in fact that may be a problem.=A0 Multiple users could be asserting=
control<br>
> of the identifier (minus the fragment).=A0 The OpenID 2.0 spec at leas=
t hints<br>
> that OPs will use this generational #fragment to indicate a new user<b=
r>
> controls the identifier (identifier recycling).=A0 An RP that sees a n=
ew<br>
> fragment attached to a claimed_id may assume (perhaps rightly) that th=
e old<br>
> user is now gone and delete settings for the old user.=A0 If the OP ha=
bitually<br>
> sticks on random goo to the end of an identifier via its #fragment, th=
en<br>
> that interpretation by the RP would not be safe.<br>
><br>
> I don't know if others read the spec that way though.<br>
> --<br>
> Andrew Arnott<br>
> "I [may] not agree with what you have to say, but I'll defend=
to the death<br>
> your right to say it." - Voltaire<br>
><br>
><br>
> On Wed, May 13, 2009 at 10:08 AM, Santosh Rajan <<a href=3D"mailto:=
santrajan at gmail.com">santrajan at gmail.com</a>> wrote:<br>
>><br>
>> I am not sure about fragments. I dont think the fragment falls und=
er the<br>
>> deifinition of URI. see rfc 3986.<br>
>> The group can be indentified within the path part, assuming all me=
mbers of<br>
>> the group belong to the same OP and the group is known while issui=
ng the<br>
>> OpenID. In that case we dont need anything to define at the OpenID=
level.<br>
>> Or am i missing something here?<br>
>><br>
>> Andrew Arnott wrote:<br>
>> ><br>
>> > Appending a fragment at least will help the RP distinguish be=
tween<br>
>> > identifiers. And in the short term it has the merit of not re=
quiring any<br>
>> > spec changes.<br>
>> ><br>
>> > But I still would like to see a group membership claim kept s=
eparate<br>
>> > from<br>
>> > the identity claim, perhaps via the claim discovery I describ=
ed in the<br>
>> > other<br>
>> > thread.<br>
>> > --<br>
>> > Andrew Arnott<br>
>> > "I [may] not agree with what you have to say, but I'=
ll defend to the<br>
>> > death<br>
>> > your right to say it." - Voltaire<br>
>> ><br>
>> ><br>
>> > On Wed, May 13, 2009 at 9:31 AM, Nat Sakimura <<a href=3D"=
mailto:sakimura at gmail.com">sakimura at gmail.com</a>><br>
>> > wrote:<br>
>> ><br>
>> >> My previous post on pseudonymous identifier seemed to hav=
e kicked off<br>
>> >> interesting but orthogonal discussion of identifier for g=
roup of<br>
>> >> individuals (like school class, friends, etc.)<br>
>> >><br>
>> >> Please use this thread instead for this discussion.<br>
>> >><br>
>> >> Just to put an context to the discussion, I can put one d=
eployed<br>
>> >> example of this type of identifier use.<br>
>> >><br>
>> >> mixi, the largest Japanese SNS, is using the concept of &=
quot;group<br>
>> >> identifier."<br>
>> >><br>
>> >> For example, to prove you are a friend of mine, you can a=
uthenticate<br>
>> >> with the identifier<br>
>> >><br>
>> >> <a href=3D"https://id.mixi.jp/nat/friend" target=3D"_blan=
k">https://id.mixi.jp/nat/friend</a><br>
>> >><br>
>> >> The verified identifier would be something like<br>
>> >> <a href=3D"https://id.mixi.jp/nat/friend#hashOfYourId" ta=
rget=3D"_blank">https://id.mixi.jp/nat/friend#hashOfYourId</a> etc.,<br>
>> >> if I rememer right.<br>
>> >><br>
>> >> As you can see, it requires no change in the OpenID AuthN=
2.0 nor an<br>
>> >> extension.<br>
>> >><br>
>> >> Anyways.. my 2c.<br>
>> >><br>
>> >> =3Dnat<br>
>> >><br>
>> >> --<br>
>> >> Nat Sakimura (=3Dnat)<br>
>> >> <a href=3D"http://www.sakimura.org/en/" target=3D"_blank"=
>http://www.sakimura.org/en/</a><br>
>> >> _______________________________________________<br>
>> >> specs mailing list<br>
>> >> <a href=3D"mailto:specs at openid.net">specs at openid.net</a><=
br>
>> >> <a href=3D"http://openid.net/mailman/listinfo/specs" targ=
et=3D"_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> >><br>
>> ><br>
>> > _______________________________________________<br>
>> > specs mailing list<br>
>> > <a href=3D"mailto:specs at openid.net">specs at openid.net</a><br>
>> > <a href=3D"http://openid.net/mailman/listinfo/specs" target=
=3D"_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> ><br>
>> ><br>
>><br>
>><br>
>> -----<br>
>><br>
>> Santosh Rajan<br>
>> <a href=3D"http://santrajan.blogspot.com" target=3D"_blank">http:/=
/santrajan.blogspot.com</a> <a href=3D"http://santrajan.blogspot.com" targe=
t=3D"_blank">http://santrajan.blogspot.com</a><br>
>> --<br>
>> View this message in context:<br>
>> <a href=3D"http://www.nabble.com/Identifier-for-group-of-individul=
as-tp23525446p23526064.html" target=3D"_blank">http://www.nabble.com/Identi=
fier-for-group-of-individulas-tp23525446p23526064.html</a><br>
>> Sent from the OpenID - Specs mailing list archive at Nabble.com.<b=
r>
>><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href=3D"mailto:specs at openid.net">specs at openid.net</a><br>
>> <a href=3D"http://openid.net/mailman/listinfo/specs" target=3D"_bl=
ank">http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
> _______________________________________________<br>
> specs mailing list<br>
> <a href=3D"mailto:specs at openid.net">specs at openid.net</a><br>
> <a href=3D"http://openid.net/mailman/listinfo/specs" target=3D"_blank"=
>http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div>--<br>
<div><div></div><div class=3D"h5">Nat Sakimura (=3Dnat)<br>
<a href=3D"http://www.sakimura.org/en/" target=3D"_blank">http://www.sakimu=
ra.org/en/</a><br>
</div></div></blockquote></div><br>
--000e0cd48872d13e4c0469ceb281--
More information about the specs
mailing list