Proposal (Was: When are and aren't two URLs the same?)

Jonathan Daugherty cygnus at janrain.com
Fri Apr 21 21:40:57 UTC 2006


# Is susceptibility to phishing a technical reason for you?

Not necessarily.  A solution which makes phishing *impossible* without
breaking anything else is a more convincing solution than one which
merely makes it "less likely".

# As Kim Cameron pointed out so memorably, we must consider the user
# part of the identity system in whatever we do. The majority of the
# elements in my list of transformations are motivated by that
# consideration.

And I consider the user's confusion when the identity URL he sees on
sites which consume it differs -- perhaps remarkably -- from what his
IDP has given him.  (Since sites store the canonicalized version and
display that while the user navigates the site.)

# Anybody have an idea how to say that better? It could be we simply
# say: DNS names in Yadis URLs must always be fully qualified.

If a yadis identifier is used on a corporate intranet, that's its
domain of applicability; an FQDN is not necessary -- although it could
be used -- and should not necessarily be *required*.  Can you think of
cases where requiring a fully-qualified name is undesirable?  Put a
different way: why is it necessary?

# ># 6. all components of the path must be unescaped to the maximum
# ># extent possible. For example, if a URL contained %41 as a character,
# ># this character needs to be replaced by its unescaped version A.
# >
# >This should be done anyway (but only once, of course).
# 
# What I'm trying to say is that I believe it is legal to use %41 in
# place of any A in any URL. Because of that, we need to say how to
# compare URLs because obviously, character-by-character does not work
# in this case.

And if you use %41 in place of an A, your web framework will most
likely take care of this transform for you in a url-unescape
operation, so putting it in this list is confusing IMHO.  It's already
part of what you should do to any URL before doing anything with it.

# Well, speaking just about our code at NetMesh, we currently would  
# have two entries in our Yadis cache for URLs
#     http://foo.com/a%20b
# and
#     http://foo.com/a+b
# and chances are that if you brought those two URLs to the same  
# Relying Party based on our code, they would create separate  
# "accounts" in the database. I consider that a bug ... because there  
# is no practical way that
#     http://foo.com/a%20b
# and
#     http://foo.com/a+b
# could produce different web pages when entered into a browser.

I was confused about this earlier, since the "+" equates to a space.
Sorry about that.  But even in that case, the url-unescape step I
mentioned above makes this moot.  Do you see what I mean?

-- 
  Jonathan Daugherty
  JanRain, Inc.


More information about the yadis mailing list