Request for comments: Sorting fields in signature generation
Josh Hoyt
josh at janrain.com
Wed Sep 27 17:04:22 UTC 2006
On 9/27/06, David Fuelling <sappenin at gmail.com> wrote:
> Just for clarification -- if duplicate parameters of the same name are NOT
> allowed by the spec, would one still be able to encode multiple values in
> the same key/value pair? Wouldn't this accomplish the same result as
> allowing duplicate key names?
OpenID already uses this mechanism. HMAC-SHA1 signatures include a
"signed" list, which is a single value containing a comma-separated
list (response to checkid_setup and checkid_immediate in [1],
sreg.required and sreg.optional in [2]).
This mechanism is simple, transparent and established. This is the
solution I prefer if fields in an OpenID message are multi-valued.
Josh
1. http://openid.net/specs/specs-1.0.bml
2. http://openid.net/specs/openid-simple-registration-extension-1_0.html#anchor3
More information about the specs
mailing list