Blog URI, is it necessary?

Ben Hyde bhyde at
Mon May 23 11:45:33 PDT 2005

On May 20, 2005, at 1:29 PM, Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Martin Atkins wrote:
>> Brad Fitzpatrick wrote:
>>> -- server-side process validates signature, gets public key from 
>>> identity
>>>    server, validates (probably from cache) that the identity URL 
>>> provided
>>>    does point to the identity server that was hit.  Now, even if the
>>>    identity server gave returned a differnet identity URL, and even
>>>    if that alternative identity URL pointed at the identity server,
>>>    the application MIGHT not have updates its identity URL form field
>>>    when the identity server returned.  it might have only stashed 
>>> away
>>>    in hidden fields the timestamp and signature.
>>> So guys, what should be the recommendation here?  We have to tell
>>> consumers in the spec whether or not they should be prepared for the
>>> assert_identity value changing.
>> This is starting to sound like the "Canonical ID" thread.
> The spec already has canonicalization rules:
> -- add "/" if there's no path
> -- add "http://" if there's no scheme
> -- follow redirects
> -- send final URL
> With that, I think it's up to the consumer to ask for the right URL in 
> the
> first place.
> If the identity server wants to canonicalize, it should redirect. 
> (Apache
> does by default, too, on directories)

The user, Alice, enter's a URL at a site, Steve.  Steve cleans up that 
URL and goes to get a
page from server Bob.   How clever can Bob get?  Or in other words what 
can Bob depend on
having at hand when he starts redirecting?  I think the spec needs a 
little clarification.   For
example, Bob can't depend on get Alice's or Steve's cookies - right?

  - ben

> So I vote nay.
> - Brad
> _______________________________________________
> yadis mailing list
> yadis at
  I forecast sunny weather!

More information about the yadis mailing list