Proposal (Was: When are and aren't two URLs the same?)
Dick Hardt
dick at sxip.com
Mon Apr 24 17:56:45 UTC 2006
I would agree strongly with Johannes.
There MUST be a standard canonicalization method for URLs
-- Dick
On 24-Apr-06, at 10:51 AM, Johannes Ernst wrote:
> So your proposal -- as opposed to Draft-029 -- is the policy that
> any IDP implement their own equivalence policies?
> I have no problem with that -- but I do have a problem with each RP
> implementing their own equivalence policies.
>
> In this particular example, the IDP implemented its own equivalence
> policy -- "URL must be the same, character for character". And it
> didn't work because the RP implemented its own equivalence policy
> that was different from the IDP's, which was "port 80 may be
> specified, it's still the same URL".
>
> In the extreme case, this opens up a huge security hole. If the RP
> defines URL1 and URL2 to be equivalent, but the IDP does not, then
> the user owning URL2 can very easily impersonate user with URL1 at
> the RP -- because RP does not distinguish the two!
>
> On Apr 24, 2006, at 10:36, Jonathan Daugherty wrote:
>
>> # In the example that I just gave (the part of my e-mail that you
>> # didn't quote), the user -- in this case, me -- got a weird error
>> and
>> # could not log on. It required protocol-level debugging, and then
>> # code changes so the user could log on. This seems to qualify as a
>> # "case where this doesn't work"?
>>
>> No, that qualifies as "the debugging and testing you do when you set
>> up an identity provider", as well as "a procedure to implement IDP
>> behavior to manifest the identity URL equivalences that you want to
>> support."
>>
>> --
>> Jonathan Daugherty
>> JanRain, Inc.
>
> Johannes Ernst
> NetMesh Inc.
>
> <lid.gif>
> http://netmesh.info/jernst
>
>
>
>
More information about the yadis
mailing list