Proposal (Was: When are and aren't two URLs the same?)
Jonathan Daugherty
cygnus at janrain.com
Fri Apr 21 21:40:57 UTC 2006
# Is susceptibility to phishing a technical reason for you?
Not necessarily. A solution which makes phishing *impossible* without
breaking anything else is a more convincing solution than one which
merely makes it "less likely".
# As Kim Cameron pointed out so memorably, we must consider the user
# part of the identity system in whatever we do. The majority of the
# elements in my list of transformations are motivated by that
# consideration.
And I consider the user's confusion when the identity URL he sees on
sites which consume it differs -- perhaps remarkably -- from what his
IDP has given him. (Since sites store the canonicalized version and
display that while the user navigates the site.)
# Anybody have an idea how to say that better? It could be we simply
# say: DNS names in Yadis URLs must always be fully qualified.
If a yadis identifier is used on a corporate intranet, that's its
domain of applicability; an FQDN is not necessary -- although it could
be used -- and should not necessarily be *required*. Can you think of
cases where requiring a fully-qualified name is undesirable? Put a
different way: why is it necessary?
# ># 6. all components of the path must be unescaped to the maximum
# ># extent possible. For example, if a URL contained %41 as a character,
# ># this character needs to be replaced by its unescaped version A.
# >
# >This should be done anyway (but only once, of course).
#
# What I'm trying to say is that I believe it is legal to use %41 in
# place of any A in any URL. Because of that, we need to say how to
# compare URLs because obviously, character-by-character does not work
# in this case.
And if you use %41 in place of an A, your web framework will most
likely take care of this transform for you in a url-unescape
operation, so putting it in this list is confusing IMHO. It's already
part of what you should do to any URL before doing anything with it.
# Well, speaking just about our code at NetMesh, we currently would
# have two entries in our Yadis cache for URLs
# http://foo.com/a%20b
# and
# http://foo.com/a+b
# and chances are that if you brought those two URLs to the same
# Relying Party based on our code, they would create separate
# "accounts" in the database. I consider that a bug ... because there
# is no practical way that
# http://foo.com/a%20b
# and
# http://foo.com/a+b
# could produce different web pages when entered into a browser.
I was confused about this earlier, since the "+" equates to a space.
Sorry about that. But even in that case, the url-unescape step I
mentioned above makes this moot. Do you see what I mean?
--
Jonathan Daugherty
JanRain, Inc.
More information about the yadis
mailing list