[OpenID] OpenID signatures
Ben Laurie
benl at google.com
Sat Aug 11 17:33:37 UTC 2007
The proposal to implement OAuth as an OpenID extension made me look at
the spec again.
I have a nit.
http://openid.net/specs/openid-authentication-2_0-11.html#kvform says:
"A key or value MUST NOT contain a newline and a key also MUST NOT
contain a colon."
Apart from the grammatical ambiguity here (if one of my keys does not
contain a colon or newline and one of my values does not contain a
newline, then I have satisfied this clause, even if others do), the
larger issue is what should be done if a key or value _does_ contain a
forbidden value. Obviously it will be necessary to escape it. Rather
than forcing developers to do this ad-hoc (or, worse, not do it at
all) it would be better for the spec to specify an escaping mechanism,
and for APIs to cause this to occur automatically.
As I write this I feel sure I've mentioned this before. Is there some
objection to addressing it?
On a related note:
"The message MUST be encoded in UTF-8 to produce a byte string"
What? Who said the message was Unicode? Why can it not be a binary blob?
More information about the general
mailing list