>From <a href="http://openid.net/specs/openid-authentication-2_0.html#identifying">the spec</a>:<br><div style="margin-left: 40px;"><br></div><h3 style="margin-left: 40px;">11.5.1.
Identifier Recycling</h3>
<p style="margin-left: 40px;">
OpenID Providers with large user bases can use fragments
to recycle URL Identifiers if it is so desired. When
<b> reassigning </b>a URL Identifier to a <b><i>new </i>end user </b>OPs should
generate a new, unique fragment part.
</p>
<p style="margin-left: 40px;">
The full URL with the fragment part constitutes the Claimed
Identifier in positive assertions, therefore Relying Parties
will distinguish between <b>the current and <i>previous </i>owners </b>of
the fragment-less URL.
</p>
<p style="margin-left: 40px;">
This mechanism allows the (presumably short, memorable)
recycled URL Identifiers without the fragment to be used by
end users at login time and by Relying Parties for display
purposes.
</p>This smells hugely of the idea that only one user controls an identifier at a time.<br><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Wed, May 13, 2009 at 10:27 AM, Nat Sakimura <span dir="ltr"><<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
My interpretation is that the fragment does not necessarily mean a new<br>
user, but it just differentiate among different users.<br>
<font color="#888888"><br>
=nat<br>
</font><div><div></div><div class="h5"><br>
On Thu, May 14, 2009 at 2:15 AM, Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>> wrote:<br>
> Fragments are valid URI parts. But they are unique in that a web browser<br>
> never sends them to the server. The OpenID 2.0 spec specifically calls out<br>
> fragments as valid ways that OPs can indicate to RPs that a new user<br>
> controls this identifier.<br>
><br>
> So in fact that may be a problem. Multiple users could be asserting control<br>
> of the identifier (minus the fragment). The OpenID 2.0 spec at least hints<br>
> that OPs will use this generational #fragment to indicate a new user<br>
> controls the identifier (identifier recycling). An RP that sees a new<br>
> fragment attached to a claimed_id may assume (perhaps rightly) that the old<br>
> user is now gone and delete settings for the old user. If the OP habitually<br>
> sticks on random goo to the end of an identifier via its #fragment, then<br>
> that interpretation by the RP would not be safe.<br>
><br>
> I don't know if others read the spec that way though.<br>
> --<br>
> Andrew Arnott<br>
> "I [may] not agree with what you have to say, but I'll defend to the death<br>
> your right to say it." - Voltaire<br>
><br>
><br>
> On Wed, May 13, 2009 at 10:08 AM, Santosh Rajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<br>
>><br>
>> I am not sure about fragments. I dont think the fragment falls under the<br>
>> deifinition of URI. see rfc 3986.<br>
>> The group can be indentified within the path part, assuming all members of<br>
>> the group belong to the same OP and the group is known while issuing the<br>
>> OpenID. In that case we dont need anything to define at the OpenID level.<br>
>> Or am i missing something here?<br>
>><br>
>> Andrew Arnott wrote:<br>
>> ><br>
>> > Appending a fragment at least will help the RP distinguish between<br>
>> > identifiers. And in the short term it has the merit of not requiring any<br>
>> > spec changes.<br>
>> ><br>
>> > But I still would like to see a group membership claim kept separate<br>
>> > from<br>
>> > the identity claim, perhaps via the claim discovery I described in the<br>
>> > other<br>
>> > thread.<br>
>> > --<br>
>> > Andrew Arnott<br>
>> > "I [may] not agree with what you have to say, but I'll defend to the<br>
>> > death<br>
>> > your right to say it." - Voltaire<br>
>> ><br>
>> ><br>
>> > On Wed, May 13, 2009 at 9:31 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>
>> > wrote:<br>
>> ><br>
>> >> My previous post on pseudonymous identifier seemed to have kicked off<br>
>> >> interesting but orthogonal discussion of identifier for group of<br>
>> >> individuals (like school class, friends, etc.)<br>
>> >><br>
>> >> Please use this thread instead for this discussion.<br>
>> >><br>
>> >> Just to put an context to the discussion, I can put one deployed<br>
>> >> example of this type of identifier use.<br>
>> >><br>
>> >> mixi, the largest Japanese SNS, is using the concept of "group<br>
>> >> identifier."<br>
>> >><br>
>> >> For example, to prove you are a friend of mine, you can authenticate<br>
>> >> with the identifier<br>
>> >><br>
>> >> <a href="https://id.mixi.jp/nat/friend" target="_blank">https://id.mixi.jp/nat/friend</a><br>
>> >><br>
>> >> The verified identifier would be something like<br>
>> >> <a href="https://id.mixi.jp/nat/friend#hashOfYourId" target="_blank">https://id.mixi.jp/nat/friend#hashOfYourId</a> etc.,<br>
>> >> if I rememer right.<br>
>> >><br>
>> >> As you can see, it requires no change in the OpenID AuthN 2.0 nor an<br>
>> >> extension.<br>
>> >><br>
>> >> Anyways.. my 2c.<br>
>> >><br>
>> >> =nat<br>
>> >><br>
>> >> --<br>
>> >> Nat Sakimura (=nat)<br>
>> >> <a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
>> >> _______________________________________________<br>
>> >> specs mailing list<br>
>> >> <a href="mailto:specs@openid.net">specs@openid.net</a><br>
>> >> <a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> >><br>
>> ><br>
>> > _______________________________________________<br>
>> > specs mailing list<br>
>> > <a href="mailto:specs@openid.net">specs@openid.net</a><br>
>> > <a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> ><br>
>> ><br>
>><br>
>><br>
>> -----<br>
>><br>
>> Santosh Rajan<br>
>> <a href="http://santrajan.blogspot.com" target="_blank">http://santrajan.blogspot.com</a> <a href="http://santrajan.blogspot.com" target="_blank">http://santrajan.blogspot.com</a><br>
>> --<br>
>> View this message in context:<br>
>> <a href="http://www.nabble.com/Identifier-for-group-of-individulas-tp23525446p23526064.html" target="_blank">http://www.nabble.com/Identifier-for-group-of-individulas-tp23525446p23526064.html</a><br>
>> Sent from the OpenID - Specs mailing list archive at Nabble.com.<br>
>><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href="mailto:specs@openid.net">specs@openid.net</a><br>
>> <a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
> _______________________________________________<br>
> specs mailing list<br>
> <a href="mailto:specs@openid.net">specs@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
<br>
<br>
<br>
</div></div>--<br>
<div><div></div><div class="h5">Nat Sakimura (=nat)<br>
<a href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
</div></div></blockquote></div><br>