Proposal (Was: When are and aren't two URLs the same?)

Dick Hardt dick at
Mon Apr 24 17:56:45 UTC 2006

I would agree strongly with Johannes.

There MUST be a standard canonicalization method for URLs

-- Dick

On 24-Apr-06, at 10:51 AM, Johannes Ernst wrote:

> So your proposal -- as opposed to Draft-029 -- is the policy that  
> any IDP implement their own equivalence policies?
> I have no problem with that -- but I do have a problem with each RP  
> implementing their own equivalence policies.
> In this particular example, the IDP implemented its own equivalence  
> policy -- "URL must be the same, character for character". And it  
> didn't work because the RP implemented its own equivalence policy  
> that was different from the IDP's, which was "port 80 may be  
> specified, it's still the same URL".
> In the extreme case, this opens up a huge security hole. If the RP  
> defines URL1 and URL2 to be equivalent, but the IDP does not, then  
> the user owning URL2 can very easily impersonate user with URL1 at  
> the RP -- because RP does not distinguish the two!
> On Apr 24, 2006, at 10:36, Jonathan Daugherty wrote:
>> # In the example that I just gave (the part of my e-mail that you
>> # didn't quote), the user -- in this case, me -- got a weird error  
>> and
>> # could not log on. It required protocol-level debugging, and then
>> # code changes so the user could log on. This seems to qualify as a
>> # "case where this doesn't work"?
>> No, that qualifies as "the debugging and testing you do when you set
>> up an identity provider", as well as "a procedure to implement IDP
>> behavior to manifest the identity URL equivalences that you want to
>> support."
>> -- 
>>   Jonathan Daugherty
>>   JanRain, Inc.
> Johannes Ernst
> NetMesh Inc.
> <lid.gif>

More information about the yadis mailing list