Request for comments: Sorting fields in signature generation

[Josh Hoyt]

On 9/26/06, Barry Ferg <barry at sxip.com> wrote:
> The signature generation algorithm specifies that the fields to be
> signed be ordered in byte order form.  It seems to be implied that
> the ordering is based on using the field names as sorting keys

I think the real topic of this discussion is whether or not multiple
parameters with the same name should be allowed by the specification.

I *strongly* prefer tightening the specification by *disallowing*
duplicate parameter names. PHP is one environment in which the
implementation will be problematic, but other common environments
(e.g. Rails) do not easily support this idiom. There is *no deployed
code* that depends on duplicated parameter names, and I'd like to keep
it that way. Keep it simple if possible.

I agree that the language in the specification should be clarified so
that the sort order is fully explicit. I would resolve this issue by
stating that the pairs must be sorted by key.

On another note:

> Pass-through (or "echo") parameters and potentially some OpenID
> extension parameters may include fields with multiple values in order
> to communicate arrays of data, etc.

Attribute exchange and other extensions can *easily* be designed not
to require multiple parameters with the same name.

Pass-through parameters are *not part of any OpenID specification.*
Even if they were, I don't think it would be too great of a
restriction to disallow duplicate parameter names.

Josh