Identifier portability: the fundamental issue

Martin Atkins mart at degeneration.co.uk
Sat Oct 14 13:13:16 UTC 2006


Brad Fitzpatrick wrote:
> 
> Counter-argument:  but OpenID 1.1 does have two parameters:  one's just in
> the return_to URL and managed by the client library, arguably in its own
> ugly namespace (not IdP/RP managed, not "openid.", but something else...
> the Perl library uses "oic." or something).  So then it's harder to
> document the correct behavior to people ("RPs should verify the mapping
> when you get a signature!") because the parameter names aren't consistent
> between RP clients.
> 

Not specifying it gives RPs the freedom to put whatever handle they want 
in the return_to, though. If they *are* able to maintain state, they 
might have some arg like ?handle=1380a383198bcefd933, which is 
completely opaque to everone except the RP.

I'd rather avoid specifying things we don't need to specify, since it 
leaves more flexibility for implementors in an area where this 
flexibility doesn't do any harm.






More information about the specs mailing list