Blog URI, is it necessary?

Martin Atkins mart at degeneration.co.uk
Fri May 20 10:43:00 PDT 2005


Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Martin Atkins wrote:
> 
> 
>>Brad Fitzpatrick wrote:
>>
>>>-- server-side process validates signature, gets public key from identity
>>>   server, validates (probably from cache) that the identity URL provided
>>>   does point to the identity server that was hit.  Now, even if the
>>>   identity server gave returned a differnet identity URL, and even
>>>   if that alternative identity URL pointed at the identity server,
>>>   the application MIGHT not have updates its identity URL form field
>>>   when the identity server returned.  it might have only stashed away
>>>   in hidden fields the timestamp and signature.
>>>
>>>So guys, what should be the recommendation here?  We have to tell
>>>consumers in the spec whether or not they should be prepared for the
>>>assert_identity value changing.
>>>
>>
>>This is starting to sound like the "Canonical ID" thread.
> 
> 
> The spec already has canonicalization rules:
> 
> -- add "/" if there's no path
> -- add "http://" if there's no scheme
> -- follow redirects
> -- send final URL
> 
> With that, I think it's up to the consumer to ask for the right URL in the
> first place.
> 
> If the identity server wants to canonicalize, it should redirect. (Apache
> does by default, too, on directories)
> 

What about brad.livejournal.com vs. www.livejournal.com/users/brad/ ? 
Both represent Brad at LiveJournal, but any consumer which wants to have 
special behavior for LiveJournal will have to have three different 
patterns. (and DeadJournal, and any other LiveJournal clone)

LiveJournal can't redirect www.livejournal.com/users/brad/ to 
brad.livejournal.com because it can't distinguish between an OpenID 
consumer and a regular pageview.

However, since I made that post earlier today about canonical IDs I've 
come around to thinking it's a bad idea. It should be the Identity URL's 
responsiblility to canonicalize, since otherwise all of the identity 
servers will canonicalize in different ways.

I guess LiveJournal users just get three different identities.


More information about the yadis mailing list