Notes From Draft 10
Marius Scurtescu
marius at sxip.com
Mon Oct 16 21:54:06 UTC 2006
On 16-Oct-06, at 2:44 PM, Josh Hoyt wrote:
> On 10/16/06, Recordon, David <drecordon at verisign.com> wrote:
>> 6.1 Signed List Algorithm
> [...]
>> I'm thinking it would make sense to
>> change this algorithm to first alphabetically sort the arguments
>> to make
>> it very clear in terms of ordering.
>
> I think it's a good idea to say that the signed list MUST be generated
> by the IdP in that order. Then signature *verification* is compatible
> with OpenID 1's algorithm. Unless there is objection, I'll do this.
Sorting of unicode strings while not terrible hard it is not trivial
either. Why bother? The list of signed fields gives an explicit
ordering, this is good enough IMO.
Why would be an alphabetically sorted list better?
Marius
More information about the specs
mailing list