POST instead of GET for associate mode?
Nathan D. Bowen
nbowen+yadis at andtonic.com
Thu Jun 9 17:04:14 PDT 2005
Paul Crowley wrote:
> Actually, consumers do have to produce this format, in order to
> validate signatures.
Eep, I'd forgotten about that change. See, this new format is *so* good
and easy to implement I didn't even remember doing it!
> There's a standard format for sending key/value pairs in a web request
> that every toolkit supports well, so it's very convenient to use.
I dig that completely. The difference seems even smaller to me if every
consumer is guaranteed to have an implementation, but I still agree that
having an implementation doesn't make it as good or as standard as a
well-aged implementation of x-www-form-urlencoded.
This also provides some insight into what will set OpenID apart (and/or
define its niche) by making explicit decisions about balancing values
like standards-compliance, internal consistency, and ease-of-implementation.
I was coming at it with priorities that said it would be okay to prefer
our existing non-standard format because at least it would be internally
consistent, and standards aren't interesting unless they keep things
consistent. I've caught on that with OpenID's design goals, the angle
here might be more like: it's okay to be half-consistent as long as
we're easy to implement, and standards are interesting wherever they
make implementation easy.
I know I'm outing myself here (especially in light of the earlier
short-lived XML discussions), but I have been working with SAML lately
and I've quickly developed a habit of comparing and contrasting it with
SAML separates the specification of the messages themselves from the
specification of how those messages are delivered. In fact, those two
topics are covered by completely separate documents.
Where two parts of the system are communicating the same thing, in a
request or a response, the parts of the messages that are the "same" are
in the same in format.
But when it comes time to describe the usage profiles, SAML can't take
advantage of specifics like a standard name/value format that every
toolkit supports -- but OpenID will do just that.
Heck, I came here in the first place specifically because I don't like
More information about the yadis