Blog URI, is it necessary?
mart at degeneration.co.uk
Fri May 20 10:26:35 PDT 2005
Brad Fitzpatrick wrote:
> -- server-side process validates signature, gets public key from identity
> server, validates (probably from cache) that the identity URL provided
> does point to the identity server that was hit. Now, even if the
> identity server gave returned a differnet identity URL, and even
> if that alternative identity URL pointed at the identity server,
> the application MIGHT not have updates its identity URL form field
> when the identity server returned. it might have only stashed away
> in hidden fields the timestamp and signature.
> So guys, what should be the recommendation here? We have to tell
> consumers in the spec whether or not they should be prepared for the
> assert_identity value changing.
This is starting to sound like the "Canonical ID" thread.
More information about the yadis