Proposal (Was: When are and aren't two URLs the same?)

Jonathan Daugherty cygnus at
Mon Apr 24 17:59:15 UTC 2006

# In this particular example, the IDP implemented its own equivalence
# policy -- "URL must be the same, character for character". And it
# didn't work because the RP implemented its own equivalence policy
# that was different from the IDP's, which was "port 80 may be
# specified, it's still the same URL".

This was in fact a bug in our consumer's fetcher.  This is definitely
a case where the RP's behavior is what's questionable.  I hope this
won't be the case very often. :)

# In the extreme case, this opens up a huge security hole. If the RP
# defines URL1 and URL2 to be equivalent, but the IDP does not, then
# the user owning URL2 can very easily impersonate user with URL1 at
# the RP -- because RP does not distinguish the two!

But in this case, there won't be a user with URL1 and a user with
URL2; if they're equivalent, only one user will have both (technically
the user will have one or the other, but be able to use either).

  Jonathan Daugherty
  JanRain, Inc.

More information about the yadis mailing list