Blog URI, is it necessary?

Brad Fitzpatrick brad at danga.com
Fri May 20 10:29:51 PDT 2005


On Fri, 20 May 2005, Martin Atkins wrote:

> Brad Fitzpatrick wrote:
> >
> > -- server-side process validates signature, gets public key from identity
> >    server, validates (probably from cache) that the identity URL provided
> >    does point to the identity server that was hit.  Now, even if the
> >    identity server gave returned a differnet identity URL, and even
> >    if that alternative identity URL pointed at the identity server,
> >    the application MIGHT not have updates its identity URL form field
> >    when the identity server returned.  it might have only stashed away
> >    in hidden fields the timestamp and signature.
> >
> > So guys, what should be the recommendation here?  We have to tell
> > consumers in the spec whether or not they should be prepared for the
> > assert_identity value changing.
> >
>
> This is starting to sound like the "Canonical ID" thread.

The spec already has canonicalization rules:

-- add "/" if there's no path
-- add "http://" if there's no scheme
-- follow redirects
-- send final URL

With that, I think it's up to the consumer to ask for the right URL in the
first place.

If the identity server wants to canonicalize, it should redirect. (Apache
does by default, too, on directories)

So I vote nay.

- Brad


More information about the yadis mailing list