Blog URI, is it necessary?

[Ben Hyde]

On May 20, 2005, at 1:29 PM, Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Martin Atkins wrote:
>
>> Brad Fitzpatrick wrote:
>>>
>>> -- server-side process validates signature, gets public key from 
>>> identity
>>>    server, validates (probably from cache) that the identity URL 
>>> provided
>>>    does point to the identity server that was hit.  Now, even if the
>>>    identity server gave returned a differnet identity URL, and even
>>>    if that alternative identity URL pointed at the identity server,
>>>    the application MIGHT not have updates its identity URL form field
>>>    when the identity server returned.  it might have only stashed 
>>> away
>>>    in hidden fields the timestamp and signature.
>>>
>>> So guys, what should be the recommendation here?  We have to tell
>>> consumers in the spec whether or not they should be prepared for the
>>> assert_identity value changing.
>>>
>>
>> This is starting to sound like the "Canonical ID" thread.
>
> The spec already has canonicalization rules:
>
> -- add "/" if there's no path
> -- add "http://" if there's no scheme
> -- follow redirects
> -- send final URL
>
> With that, I think it's up to the consumer to ask for the right URL in 
> the
> first place.
>
> If the identity server wants to canonicalize, it should redirect. 
> (Apache
> does by default, too, on directories)

The user, Alice, enter's a URL at a site, Steve.  Steve cleans up that 
URL and goes to get a
page from server Bob.   How clever can Bob get?  Or in other words what 
can Bob depend on
having at hand when he starts redirecting?  I think the spec needs a 
little clarification.   For
example, Bob can't depend on get Alice's or Steve's cookies - right?

  - ben

> So I vote nay.
>
> - Brad
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>
----
http://enthusiasm.cozy.org   http://gibbon.cozy.org   
tel:+1-781-240-2221
  I forecast sunny weather!