Proposal (Was: When are and aren't two URLs the same?)
cygnus at janrain.com
Mon Apr 24 17:59:15 UTC 2006
# In this particular example, the IDP implemented its own equivalence
# policy -- "URL must be the same, character for character". And it
# didn't work because the RP implemented its own equivalence policy
# that was different from the IDP's, which was "port 80 may be
# specified, it's still the same URL".
This was in fact a bug in our consumer's fetcher. This is definitely
a case where the RP's behavior is what's questionable. I hope this
won't be the case very often. :)
# In the extreme case, this opens up a huge security hole. If the RP
# defines URL1 and URL2 to be equivalent, but the IDP does not, then
# the user owning URL2 can very easily impersonate user with URL1 at
# the RP -- because RP does not distinguish the two!
But in this case, there won't be a user with URL1 and a user with
URL2; if they're equivalent, only one user will have both (technically
the user will have one or the other, but be able to use either).
More information about the yadis