POST instead of GET for associate mode?

Brad Fitzpatrick brad at
Thu Jun 9 11:51:39 PDT 2005

A base64-encoded two's complement bigint of 4096 bits is, at 33% larger,
682 bytes, before you factor in URL-escaping the occasional + signs.

So exchanging a 4095 bit prime (the largest) in my moduli file makes for
quite a length URL.  Ignoring the question of whether or not we need a
prime that long for DH-SHA1 enc_type, and whether or not there will be an
implied default p, let's look to the future....

In the future people will want some new assoc_type/enc_type that might
have even longer key exchange requirements.  Because the UA and redirects
aren't involved during the consumer <-> idserver assoc step, does anybody
have opinions on making that step be a POST instead of a GET, so the URLs
don't get ridiculously long?  The counter argument is that because user
agents aren't involved with their sometimes bizarrre limits (2k for IE),
we don't care about the length of GET args, but I'd imagine different HTTP
libraries have their own bizarre limitations.  For instance, some ASP.NET
consumer might end up using the same HTTP library tha Internet Explorer
uses, so that ASP.NET site can't request huge GET URLs.

I'm for making the assoc step be a POST to be prepared for the future, but
I can be convinced otherwise if a good argument is made.

- Brad

More information about the yadis mailing list