Most URI schemes support fragments. I am guessing that acct: could support fragments.
Are you planning on registering the scheme? Are you thinking that Acct: will be used only for meta-data lookup, or for the claimed_id as well. By changing account recycling detection to be a separate parameter we are creating a significant breaking change that effects applications account logic as well as the openID library. I think openID's use of fragment is compatible with semantic web's use. Though that is more coincidence than design. https://ve7jtb.startssl.com/#123 becomes a identifier for me rather than the profile page. We need to carefully consider things that may be breaking changes. Another issue we need to address is migrating people from http: identifiers at RP. With RP's normalizing to http: and OP's not redirecting to the https version we are providing much lower security to people than we could be. Perhaps moving people to Acct: type identifiers where discovery is more secure, is part of the solution. However we do have a real problem with the installed base. John B. On 2009-12-03, at 12:45 AM, John Panzer wrote: > #1 is an extremely good point. 'Acct:' Webfinger identifiers do not > currently allow fragments for example. > > On Wednesday, December 2, 2009, Santosh Rajan <[email protected]> wrote: >> Oops resending to specs. >> >> On Thu, Dec 3, 2009 at 8:07 AM, Santosh Rajan <[email protected]> wrote: >> >> Hi Allen, >> It is just that i thought using fragments are less than optimal for recycled >> accounts.1) If we are looking at OpenID's as more than just http URI's, >> possibly any other URI, this could complicate matters. >> >> 2) Unfortunately fragments just don't look good when printed.3) Also the >> usage of fragments in OpenID does not reflect the true meaning of fragments. >> Fragments are used to denote different avatars of the "same entity", as in >> the semantic web. Or different parts of the same document as in html usage. >> However for OpenID we are using fragments to denote an entirely different >> entity, an new recycled account. >> >> >> If there are privacy concerns for using the account creation date i am open >> to using some thing else instead. But the idea was to avoid fragments by >> adding an extra parameter in the protocol, rather than in AX. >> >> >> >> On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <[email protected]> wrote: >> >> >> >> >> >> >> Hi Santosh, >> >> Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments >> to differentiate between different users in the event that the OpenID URL is >> recycled. >> >> http://openid.net/specs/openid-authentication-2_0.html#identifying >> >> Large identity providers often try to free up desirable userids by recycling >> ids that are inactive. >> >> I do agree that account creation date is very useful to RPs, and several RPs >> have asked us to make the user’s account creation date available via >> Attribute Exchange. RPs that ask for this are usually interested in using >> the account’s tenure for anti-abuse purposes. The Yahoo OP will be making >> the account creation date available via AX early next year. Hopefully we >> can have a standard schema for this. >> >> >> Allen >> >> >> >> On 12/1/09 8:32 PM, "Santosh Rajan" <[email protected]> wrote: >> >> I would like to first of all, apologies to all members of the community, for >> having made comments that has caused distress on this list. My apologies to >> all members. >> >> >> I am not aware if the idea of using account creation dates to preempt >> recycleable identifiers has been considered before, and i thought it might >> be a cheap way to preempt the problem, and worth looking into. >> >> All accounts have a logical creation date, a time stamp that in combination >> with an account identifier will be universally unique. I think all providers >> save this time stamp (or atleast the creation date) when the account is >> created. Let us call this timestamp the "account timestamp". This timestamp >> does not change through the life cycle of the identifier, and only changes >> when a new account is created with the same identifier (recycled). >> >> 1) All OP's can return the account timestamp as an extra parameter with >> every authentication response. >> 2) Every time a user logs in at an RP, the RP can verify that the timestamp >> has not changed. >> 3) If the timestamp has changed, it means that this a recycled identifier, >> and this is a new user. >> >> >> >> >> >> >> >> >> -- >> http://hi.im/santosh >> >> >> >> >> >> -- >> http://hi.im/santosh >> >> >> > > -- > -- > John Panzer / Google > [email protected] / abstractioneer.org / @jpanzer > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
