On 6/5/07, Johnny Bufu <[EMAIL PROTECTED]> wrote: > > The fragment is not secret. It is not "protecting" your OpenID. You > > should be able to get the fragment from any relying party that you > > visited. > > I believe David's point is that you cannot retrieve the fragment from > the RP if you have lost it and are no longer able to log into any > RPs. (Unless there's an account recovery mechanism either on the RP > or the OP.) The RPs know it, but are not supposed to display / > disclose it.
The relying parties SHOULD make the fragment available to software agents, at least, so that it's possible to compare identifiers across sites. If the fragment is never available, then there is confusion about which user of an identifier is responsible for content that has been posted. One use case where software agents having access to the fragment is particularly important is if the identifier is used for access control, and the access control list is retrieved from off-site (e.g. from a social networking site). The implementation that seems most sane is for places that display the identifier for human reading look like: <a href="http://josh.example.com/#this-is-intended-for-machine-consumption" >http://josh.example.com/</a> so that the software agent would see the fragment, but the user wouldn't have to. Using this approach, the fragment is trivially available anywhere you signed in. There is also no reason that a relying party should hide the fragment if a user asks for it. Since it is not sensitive information, it does not require "account recovery." Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs