POST instead of GET for associate mode?

Nathan D. Bowen nbowen+yadis at andtonic.com
Thu Jun 9 17:04:14 PDT 2005 

Paul Crowley wrote:

> Actually, consumers do have to produce this format, in order to 
> validate signatures.

Eep, I'd forgotten about that change. See, this new format is *so* good 
and easy to implement I didn't even remember doing it!

> There's a standard format for sending key/value pairs in a web request 
> that every toolkit supports well, so it's very convenient to use.

I dig that completely. The difference seems even smaller to me if every 
consumer is guaranteed to have an implementation, but I still agree that 
having an implementation doesn't make it as good or as standard as a 
well-aged implementation of x-www-form-urlencoded.

This also provides some insight into what will set OpenID apart (and/or 
define its niche) by making explicit decisions about balancing values 
like standards-compliance, internal consistency, and ease-of-implementation.

I was coming at it with priorities that said it would be okay to prefer 
our existing non-standard format because at least it would be internally 
consistent, and standards aren't interesting unless they keep things 
consistent. I've caught on that with OpenID's design goals, the angle 
here might be more like: it's okay to be half-consistent as long as 
we're easy to implement, and standards are interesting wherever they 
make implementation easy.

I know I'm outing myself here (especially in light of the earlier 
short-lived XML discussions), but I have been working with SAML lately 
and I've quickly developed a habit of comparing and contrasting it with 
OpenID.

SAML separates the specification of the messages themselves from the 
specification of how those messages are delivered. In fact, those two 
topics are covered by completely separate documents.

Where two parts of the system are communicating the same thing, in a 
request or a response, the parts of the messages that are the "same" are 
in the same in format.

But when it comes time to describe the usage profiles, SAML can't take 
advantage of specifics like a standard name/value format that every 
toolkit supports -- but OpenID will do just that.

Heck, I came here in the first place specifically because I don't like 
implementing SAML.

More information about the yadis mailing list