Blog URI, is it necessary?

Martin Atkins mart at
Fri May 20 10:26:35 PDT 2005

Brad Fitzpatrick wrote:
> -- server-side process validates signature, gets public key from identity
>    server, validates (probably from cache) that the identity URL provided
>    does point to the identity server that was hit.  Now, even if the
>    identity server gave returned a differnet identity URL, and even
>    if that alternative identity URL pointed at the identity server,
>    the application MIGHT not have updates its identity URL form field
>    when the identity server returned.  it might have only stashed away
>    in hidden fields the timestamp and signature.
> So guys, what should be the recommendation here?  We have to tell
> consumers in the spec whether or not they should be prepared for the
> assert_identity value changing.

This is starting to sound like the "Canonical ID" thread.

More information about the yadis mailing list