When are and aren't two URLs the same? (ports)

Johannes Ernst jernst+lists.danga.com at netmesh.us
Thu Apr 13 23:45:39 UTC 2006

Do these URLs:
represent the same identity?

This is not a hypothetical question, because this very issue kept me  
(and all mylid.net users) from logging into the IIW wiki  
successfully. Specifically, our server responded with 404 when asked  
for URL http://mylid.net:80/jernst because it only served http:// 
mylid.net/jernst. Other problems may occur in the OpenID crypto, URL  
caches, even account systems.

On the HTTP protocol level, the difference is between
     GET /joe http/1.1
     Host: example.com
     GET /joe http/1.1
     Host: example.com:80

Turns out that if you type this type of URL into various browsers
different things happen:
     1) IE immediately zaps it as if you had never entered it
     2) Mozilla zaps it in the URL field, but adds the port spec to  
the host header
     3) Safari leaves it fully intact
So there doesn't seem to be much of a consensus.

I think we, as the community, have to decide on the following question:
In an OpenID context, as well as a LID context, should a Relying  
Party accept a signature that contains
if it wanted to prove
Or vice versa?

A version of this discussion took place on this list before, I  
believe, and people generally didn't want to get into it. However, at  
a minimum, we need to say "no URL transformation of any kind shall be  
permitted" if that is what we decide.

Alternatively, one can define equivalence rules -- here is a draft as  
we have it for LID (but equally well applies to OpenID and Yadis)


Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060413/de8ed614/lid.gif
-------------- next part --------------

More information about the yadis mailing list