query parameters in identity URLs

Brad Fitzpatrick brad at danga.com
Mon Jun 27 21:15:24 PDT 2005

On Tue, 28 Jun 2005, Martin Atkins wrote:

> Brad Fitzpatrick wrote:
> >
> > The other easy thing to do is just say identity URLs can't have query
> > strings.
> >
> I don't think that's really feasible. There are plenty of sites out
> there which don't have *any* URLs without query strings:
> /index.php?page=about&user=mart&phpsessid=4834y59327y62358673496&uglyurl=true
> In an ideal world they'd clean up their URLs, but this ain't an ideal world.


> The .self proposal seems reasonable, though it might as well just go the
> extra few steps and become openid.canonical that was discussed before
> but dismissed.

It wasn't dismissed... it was never discussed.

Let's discuss:  pros & cons...

  -- con: late change

  -- con: won't totally solve the problem for malicious attackers anyway

  -- con: maybe somebody /wants/ to use bradfitz.com/?persona_a and
          bradfitz.com/?persona_b  separately, just like foo+bar at host.com
          email separators

  -- pro: can tell that two URLs are the same:

     -- con: but then does www.livejournal.com/users/brad/ get mapped
             to brad.livejournal.com on other sites?  what if my paid
             account expires, and brad.livejournal.com is now an error

I'm seeing more cons than pros.

- Brad

More information about the yadis mailing list