>Josh Hoyt wrote: > >The fragment is not secret. It is not "protecting" your OpenID. You >should be able to get the fragment from any relying party that you >visited. You might choose to use a fragment if you have acquired a >recycled identifier, but you can choose the fragment. It protects >*nothing* if you control the base identifier (to the point that you >can choose an OpenID provider).
Isn't this a core flaw with the fragment approach? That if you lose control of the base identifier, you lose control of any fragment? Wouldn't it be fairly easy -- precisely because the fragment is not secret -- for the party that takes over the base identifer to discover the fragment(s) that have been used earlier, and thus for the new owner to then be able to spoof any fragment that has been issued? I supposed this doesn't apply to large sites, where all identifiers are managed "in trust" for users and they can enforce non-access to previous fragments. But for personal URLs it doesn't appear to work at all. Am I missing anything? =Drummond _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs