<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
The intent of the fragment was to allow OPs to recycle OpenIDs, and the
fragment is intended to be a "generation identifier" that RPs can use
to determine that the OpenID was recycled.<br>
<br>
Allen<br>
<br>
<br>
Andrew Arnott wrote:
<blockquote
cite="mid:216e54900905131039t2c689b2dve54c3e0e83a7a100@mail.gmail.com"
type="cite">From <a moz-do-not-send="true"
href="http://openid.net/specs/openid-authentication-2_0.html#identifying">the
spec</a>:<br>
<div style="margin-left: 40px;"><br>
</div>
<h3 style="margin-left: 40px;">11.5.1.
Identifier Recycling</h3>
<p style="margin-left: 40px;"> OpenID Providers with large user bases
can use fragments to recycle URL Identifiers if it is so desired. When
<b> reassigning </b>a URL Identifier to a <b><i>new </i>end user </b>OPs
should generate a new, unique fragment part. </p>
<p style="margin-left: 40px;"> The full URL with the fragment part
constitutes the Claimed Identifier in positive assertions, therefore
Relying Parties will distinguish between <b>the current and <i>previous
</i>owners </b>of the fragment-less URL. </p>
<p style="margin-left: 40px;"> This mechanism allows the (presumably
short, memorable) recycled URL Identifiers without the fragment to be
used by end users at login time and by Relying Parties for display
purposes. </p>
This smells hugely of the idea that only one user controls an
identifier at a time.<br>
<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
<div class="gmail_quote">On Wed, May 13, 2009 at 10:27 AM, Nat
Sakimura <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">My
interpretation is that the fragment does not necessarily mean a new<br>
user, but it just differentiate among different users.<br>
<font color="#888888"><br>
=nat<br>
</font>
<div>
<div class="h5"><br>
On Thu, May 14, 2009 at 2:15 AM, Andrew Arnott <<a
moz-do-not-send="true" href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>>
wrote:<br>
> Fragments are valid URI parts. But they are unique in that a web
browser<br>
> never sends them to the server. The OpenID 2.0 spec specifically
calls out<br>
> fragments as valid ways that OPs can indicate to RPs that a new
user<br>
> controls this identifier.<br>
><br>
> So in fact that may be a problem. Multiple users could be
asserting control<br>
> of the identifier (minus the fragment). The OpenID 2.0 spec at
least hints<br>
> that OPs will use this generational #fragment to indicate a new
user<br>
> controls the identifier (identifier recycling). An RP that sees a
new<br>
> fragment attached to a claimed_id may assume (perhaps rightly)
that the old<br>
> user is now gone and delete settings for the old user. If the OP
habitually<br>
> sticks on random goo to the end of an identifier via its
#fragment, then<br>
> that interpretation by the RP would not be safe.<br>
><br>
> I don't know if others read the spec that way though.<br>
> --<br>
> Andrew Arnott<br>
> "I [may] not agree with what you have to say, but I'll defend to
the death<br>
> your right to say it." - Voltaire<br>
><br>
><br>
> On Wed, May 13, 2009 at 10:08 AM, Santosh Rajan <<a
moz-do-not-send="true" href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>>
wrote:<br>
>><br>
>> I am not sure about fragments. I dont think the fragment falls
under the<br>
>> deifinition of URI. see rfc 3986.<br>
>> The group can be indentified within the path part, assuming
all members of<br>
>> the group belong to the same OP and the group is known while
issuing the<br>
>> OpenID. In that case we dont need anything to define at the
OpenID level.<br>
>> Or am i missing something here?<br>
>><br>
>> Andrew Arnott wrote:<br>
>> ><br>
>> > Appending a fragment at least will help the RP
distinguish between<br>
>> > identifiers. And in the short term it has the merit of
not requiring any<br>
>> > spec changes.<br>
>> ><br>
>> > But I still would like to see a group membership claim
kept separate<br>
>> > from<br>
>> > the identity claim, perhaps via the claim discovery I
described in the<br>
>> > other<br>
>> > thread.<br>
>> > --<br>
>> > Andrew Arnott<br>
>> > "I [may] not agree with what you have to say, but I'll
defend to the<br>
>> > death<br>
>> > your right to say it." - Voltaire<br>
>> ><br>
>> ><br>
>> > On Wed, May 13, 2009 at 9:31 AM, Nat Sakimura <<a
moz-do-not-send="true" href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>
>> > wrote:<br>
>> ><br>
>> >> My previous post on pseudonymous identifier seemed to
have kicked off<br>
>> >> interesting but orthogonal discussion of identifier
for group of<br>
>> >> individuals (like school class, friends, etc.)<br>
>> >><br>
>> >> Please use this thread instead for this discussion.<br>
>> >><br>
>> >> Just to put an context to the discussion, I can put
one deployed<br>
>> >> example of this type of identifier use.<br>
>> >><br>
>> >> mixi, the largest Japanese SNS, is using the concept
of "group<br>
>> >> identifier."<br>
>> >><br>
>> >> For example, to prove you are a friend of mine, you
can authenticate<br>
>> >> with the identifier<br>
>> >><br>
>> >> <a moz-do-not-send="true"
href="https://id.mixi.jp/nat/friend" target="_blank">https://id.mixi.jp/nat/friend</a><br>
>> >><br>
>> >> The verified identifier would be something like<br>
>> >> <a moz-do-not-send="true"
href="https://id.mixi.jp/nat/friend#hashOfYourId" target="_blank">https://id.mixi.jp/nat/friend#hashOfYourId</a>
etc.,<br>
>> >> if I rememer right.<br>
>> >><br>
>> >> As you can see, it requires no change in the OpenID
AuthN 2.0 nor an<br>
>> >> extension.<br>
>> >><br>
>> >> Anyways.. my 2c.<br>
>> >><br>
>> >> =nat<br>
>> >><br>
>> >> --<br>
>> >> Nat Sakimura (=nat)<br>
>> >> <a moz-do-not-send="true"
href="http://www.sakimura.org/en/" target="_blank">http://www.sakimura.org/en/</a><br>
>> >> _______________________________________________<br>
>> >> specs mailing list<br>
>> >> <a moz-do-not-send="true"
href="mailto:specs@openid.net">specs@openid.net</a><br>
>> >> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> >><br>
>> ><br>
>> > _______________________________________________<br>
>> > specs mailing list<br>
>> > <a moz-do-not-send="true" href="mailto:specs@openid.net">specs@openid.net</a><br>
>> > <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
>> ><br>
>> ><br>
>><br>
>><br>
>> -----<br>
>><br>
>> Santosh Rajan<br>
>> <a moz-do-not-send="true" href="http://santrajan.blogspot.com"
target="_blank">http://santrajan.blogspot.com</a> <a
moz-do-not-send="true" href="http://santrajan.blogspot.com"
target="_blank">http://santrajan.blogspot.com</a><br>
>> --<br>
>> View this message in context:<br>
>> <a moz-do-not-send="true"
href="http://www.nabble.com/Identifier-for-group-of-individulas-tp23525446p23526064.html"
target="_blank">http://www.nabble.com/Identifier-for-group-of-individulas-tp23525446p23526064.html</a><br>
>> Sent from the OpenID - Specs mailing list archive at
Nabble.com.<br>
>><br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a moz-do-not-send="true" href="mailto:specs@openid.net">specs@openid.net</a><br>
>> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
> _______________________________________________<br>
> specs mailing list<br>
> <a moz-do-not-send="true" href="mailto:specs@openid.net">specs@openid.net</a><br>
> <a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
><br>
><br>
<br>
<br>
<br>
</div>
</div>
--<br>
<div>
<div class="h5">Nat Sakimura (=nat)<br>
<a moz-do-not-send="true" href="http://www.sakimura.org/en/"
target="_blank">http://www.sakimura.org/en/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@openid.net">specs@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a>
</pre>
</blockquote>
<br>
</body>
</html>