Proposal (Was: When are and aren't two URLs the same?)
Johannes Ernst
jernst+lists.danga.com at netmesh.us
Mon Apr 24 17:51:44 UTC 2006
So your proposal -- as opposed to Draft-029 -- is the policy that any
IDP implement their own equivalence policies?
I have no problem with that -- but I do have a problem with each RP
implementing their own equivalence policies.
In this particular example, the IDP implemented its own equivalence
policy -- "URL must be the same, character for character". And it
didn't work because the RP implemented its own equivalence policy
that was different from the IDP's, which was "port 80 may be
specified, it's still the same URL".
In the extreme case, this opens up a huge security hole. If the RP
defines URL1 and URL2 to be equivalent, but the IDP does not, then
the user owning URL2 can very easily impersonate user with URL1 at
the RP -- because RP does not distinguish the two!
On Apr 24, 2006, at 10:36, Jonathan Daugherty wrote:
> # In the example that I just gave (the part of my e-mail that you
> # didn't quote), the user -- in this case, me -- got a weird error and
> # could not log on. It required protocol-level debugging, and then
> # code changes so the user could log on. This seems to qualify as a
> # "case where this doesn't work"?
>
> No, that qualifies as "the debugging and testing you do when you set
> up an identity provider", as well as "a procedure to implement IDP
> behavior to manifest the identity URL equivalences that you want to
> support."
>
> --
> Jonathan Daugherty
> JanRain, Inc.
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060424/bea0c049/lid.gif
-------------- next part --------------
http://netmesh.info/jernst
More information about the yadis
mailing list