Field separators

Paul Crowley paul at
Mon Jun 6 01:57:21 PDT 2005

Martin Atkins wrote:
> It's quite possible that I've missed something somewhere along the line,
> but I feel it's a good idea to point out that form-urlencoded doesn't
> enforce a parameter order, and the recieving end will need to know the
> parameter order so that it can check the hash.

We explicitly specify which parameters are signed and in what order with 
the comma-separated "openid.signed" field, so it's not too hard to 
assemble the token in order to check the signature.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list