Identifier portability: the fundamental issue
Martin Atkins
mart at degeneration.co.uk
Sat Oct 14 13:13:16 UTC 2006
Brad Fitzpatrick wrote:
>
> Counter-argument: but OpenID 1.1 does have two parameters: one's just in
> the return_to URL and managed by the client library, arguably in its own
> ugly namespace (not IdP/RP managed, not "openid.", but something else...
> the Perl library uses "oic." or something). So then it's harder to
> document the correct behavior to people ("RPs should verify the mapping
> when you get a signature!") because the parameter names aren't consistent
> between RP clients.
>
Not specifying it gives RPs the freedom to put whatever handle they want
in the return_to, though. If they *are* able to maintain state, they
might have some arg like ?handle=1380a383198bcefd933, which is
completely opaque to everone except the RP.
I'd rather avoid specifying things we don't need to specify, since it
leaves more flexibility for implementors in an area where this
flexibility doesn't do any harm.
More information about the specs
mailing list