Proposal (Was: When are and aren't two URLs the same?)

Jonathan Daugherty cygnus at janrain.com
Mon Apr 24 17:59:15 UTC 2006


# In this particular example, the IDP implemented its own equivalence
# policy -- "URL must be the same, character for character". And it
# didn't work because the RP implemented its own equivalence policy
# that was different from the IDP's, which was "port 80 may be
# specified, it's still the same URL".

This was in fact a bug in our consumer's fetcher.  This is definitely
a case where the RP's behavior is what's questionable.  I hope this
won't be the case very often. :)

# In the extreme case, this opens up a huge security hole. If the RP
# defines URL1 and URL2 to be equivalent, but the IDP does not, then
# the user owning URL2 can very easily impersonate user with URL1 at
# the RP -- because RP does not distinguish the two!

But in this case, there won't be a user with URL1 and a user with
URL2; if they're equivalent, only one user will have both (technically
the user will have one or the other, but be able to use either).

-- 
  Jonathan Daugherty
  JanRain, Inc.


More information about the yadis mailing list