Proposal (Was: When are and aren't two URLs the same?)

Johannes Ernst jernst+lists.danga.com at netmesh.us
Fri Apr 21 22:09:02 UTC 2006 

On Apr 21, 2006, at 14:40, Jonathan Daugherty wrote:

> # Is susceptibility to phishing a technical reason for you?
>
> Not necessarily.  A solution which makes phishing *impossible* without
> breaking anything else is a more convincing solution than one which
> merely makes it "less likely".

Are we getting off subject here? ;-) I thought there was general  
agreement that making phishing impossible is also impossible.

> # As Kim Cameron pointed out so memorably, we must consider the user
> # part of the identity system in whatever we do. The majority of the
> # elements in my list of transformations are motivated by that
> # consideration.
>
> And I consider the user's confusion when the identity URL he sees on
> sites which consume it differs -- perhaps remarkably -- from what his
> IDP has given him.  (Since sites store the canonicalized version and
> display that while the user navigates the site.)
>
> # Anybody have an idea how to say that better? It could be we simply
> # say: DNS names in Yadis URLs must always be fully qualified.
>
> If a yadis identifier is used on a corporate intranet, that's its
> domain of applicability; an FQDN is not necessary -- although it could
> be used -- and should not necessarily be *required*.  Can you think of
> cases where requiring a fully-qualified name is undesirable?  Put a
> different way: why is it necessary?

I have modified the page accordingly.

> # ># 6. all components of the path must be unescaped to the maximum
> # ># extent possible. For example, if a URL contained %41 as a  
> character,
> # ># this character needs to be replaced by its unescaped version A.
> # >
> # >This should be done anyway (but only once, of course).
> #
> # What I'm trying to say is that I believe it is legal to use %41 in
> # place of any A in any URL. Because of that, we need to say how to
> # compare URLs because obviously, character-by-character does not work
> # in this case.
>
> And if you use %41 in place of an A, your web framework will most
> likely take care of this transform for you in a url-unescape
> operation, so putting it in this list is confusing IMHO.  It's already
> part of what you should do to any URL before doing anything with it.

This is exactly my point. You and I believe that this transformation  
needs to be done (e.g. by your web framework), and that's why I'm  
writing down that it needs to be done.

> # Well, speaking just about our code at NetMesh, we currently would
> # have two entries in our Yadis cache for URLs
> #     http://foo.com/a%20b
> # and
> #     http://foo.com/a+b
> # and chances are that if you brought those two URLs to the same
> # Relying Party based on our code, they would create separate
> # "accounts" in the database. I consider that a bug ... because there
> # is no practical way that
> #     http://foo.com/a%20b
> # and
> #     http://foo.com/a+b
> # could produce different web pages when entered into a browser.
>
> I was confused about this earlier, since the "+" equates to a space.
> Sorry about that.  But even in that case, the url-unescape step I
> mentioned above makes this moot.  Do you see what I mean?

I collapsed that point with the previous one.

>
> -- 
>   Jonathan Daugherty
>   JanRain, Inc.

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060421/84d754e5/lid.gif
-------------- next part --------------
  http://netmesh.info/jernst

More information about the yadis mailing list