Proposal (Was: When are and aren't two URLs the same?)

Johannes Ernst at
Mon Apr 24 17:51:44 UTC 2006

So your proposal -- as opposed to Draft-029 -- is the policy that any  
IDP implement their own equivalence policies?
I have no problem with that -- but I do have a problem with each RP  
implementing their own equivalence policies.

In this particular example, the IDP implemented its own equivalence  
policy -- "URL must be the same, character for character". And it  
didn't work because the RP implemented its own equivalence policy  
that was different from the IDP's, which was "port 80 may be  
specified, it's still the same URL".

In the extreme case, this opens up a huge security hole. If the RP  
defines URL1 and URL2 to be equivalent, but the IDP does not, then  
the user owning URL2 can very easily impersonate user with URL1 at  
the RP -- because RP does not distinguish the two!

On Apr 24, 2006, at 10:36, Jonathan Daugherty wrote:

> # In the example that I just gave (the part of my e-mail that you
> # didn't quote), the user -- in this case, me -- got a weird error and
> # could not log on. It required protocol-level debugging, and then
> # code changes so the user could log on. This seems to qualify as a
> # "case where this doesn't work"?
> No, that qualifies as "the debugging and testing you do when you set
> up an identity provider", as well as "a procedure to implement IDP
> behavior to manifest the identity URL equivalences that you want to
> support."
> -- 
>   Jonathan Daugherty
>   JanRain, Inc.

Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url :
-------------- next part --------------

More information about the yadis mailing list