Blog URI, is it necessary?
bhyde at pobox.com
Mon May 23 11:45:33 PDT 2005
On May 20, 2005, at 1:29 PM, Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Martin Atkins wrote:
>> Brad Fitzpatrick wrote:
>>> -- server-side process validates signature, gets public key from
>>> server, validates (probably from cache) that the identity URL
>>> does point to the identity server that was hit. Now, even if the
>>> identity server gave returned a differnet identity URL, and even
>>> if that alternative identity URL pointed at the identity server,
>>> the application MIGHT not have updates its identity URL form field
>>> when the identity server returned. it might have only stashed
>>> in hidden fields the timestamp and signature.
>>> So guys, what should be the recommendation here? We have to tell
>>> consumers in the spec whether or not they should be prepared for the
>>> assert_identity value changing.
>> This is starting to sound like the "Canonical ID" thread.
> The spec already has canonicalization rules:
> -- add "/" if there's no path
> -- add "http://" if there's no scheme
> -- follow redirects
> -- send final URL
> With that, I think it's up to the consumer to ask for the right URL in
> first place.
> If the identity server wants to canonicalize, it should redirect.
> does by default, too, on directories)
The user, Alice, enter's a URL at a site, Steve. Steve cleans up that
URL and goes to get a
page from server Bob. How clever can Bob get? Or in other words what
can Bob depend on
having at hand when he starts redirecting? I think the spec needs a
little clarification. For
example, Bob can't depend on get Alice's or Steve's cookies - right?
> So I vote nay.
> - Brad
> yadis mailing list
> yadis at lists.danga.com
I forecast sunny weather!
More information about the yadis