When are and aren't two URLs the same? (ports)
Thomas Broyer
t.broyer at gmail.com
Wed Apr 19 08:56:29 UTC 2006
2006/4/18, Dick Hardt <dick at sxip.com>:
>
> On 14-Apr-06, at 8:56 PM, OHTSUKA Ko-hei wrote:
>
> > I think
> > http://joe.example.com/
> > http://joe.example.com:80/
> > http://joe.example.com
> > should be different identity.
>
> I would suggest that you follow the IETF RFC that talks about URL
> normalization. If after normalization, they are different, then treat
> them different.
>
> If users are typing in URLs, then you are best to normalize. Grandma
> is not going to know the difference between
> http://joe.example.com and http://joe.example.com/
Just one problem: Grandma is not going to know the difference between
http://example.com/joe and http://example.com/joe/ though those two
URIs remain different after normalization.
Actually, there seems to be, more generally, a problem with redirects.
Or am I missing the point here?
My guess is that Relaying Parties should use URIs verbatim, except for
some "simple normalization" when the user enters something that is not
a valid URI (joe.example.com is not a valid URI –lacks a scheme– so
the Relaying Party has to add an http:// prefix and should IMO ensure
there is a non-empty path, so the redirect/fetch/whatever willl go to
http://joe.example.com/).
If the user enters example.com/joe, the redirect/fetch/whatever should
go to http://example.com/joe (without a www. prefix and without a
trailing slash).
If the use enters http://joe.example.com, the redirect/fetch/whatever
should go to http://joe.example.com/ (with a non-empty path)
Now, wrt to what is the identity URI the Relaying Party should store
and compare, I'd say it's the one sent back along with the signature.
In brief:
- a Relying Party must use the identity URI verbatim (except for
"simple normalization": adding a missing scheme, ensure a non-empty
path)
- an Identity Provider must always return/show/tell the same identity
URI. I.e. in an OpenID context, there should always be an
openid.delegate, even if it's "a priori" equivalent to the document
URI.
Now, how about IRIs?
Is http://www.atemschutzunfälle.de/ equivalent to
http://www.xn--atemschutzunflle-7nb.de/ ?
--
Thomas Broyer
--
Thomas Broyer
More information about the yadis
mailing list