[OpenID] OpenID signatures

Peter Williams pwilliams at rapattoni.com
Sat Aug 11 18:14:38 UTC 2007 

SAML, via its use of xml-schema:ID has the same issue, of course. One of Google's SAML's responders was recently willing to insist that ID is well-formed - i.e. matches NCNAME, apparently.
 
When I looked at this ":" issue in the context of SAML, I had the following explanation - which one can dispute!
 
ID is a locally-scoped name, and shall not be used in the role reserved for URNs. When formalizing XMl-DSIG and SAML, one notes the designer's use of ID rather than URNs. This requires implementation of the scoping rules, by conforming secure implementations with complete enforcement logic.
 
Im going to guess that OPenID Auth 2.0 has a similar rationale, not that its explicitly stated in this type of work. Its obviously been closely re-worked, over OpenID Auth1.1.
 
Note below, how one denotes using different id-forms, in XML schema: Though an ID must match NCNAME, if is not ACTUALLY an NCNAME. Subtle difference, obviously; but one the specifier is calling out - at least in the case of SAML. Both obviously deny the colon char!
 
Peter.
 
 
 
 
<!-- an element is declared by either:
a name and a type (either nested or referenced via the type attribute)
or a ref to an existing element declaration -->

<!ELEMENT %element; ((%annotation;)?, (%complexType;| %simpleType;)?,
                     (%unique; | %key; | %keyref;)*)>
<!-- simpleType or complexType only if no type|ref attribute -->
<!-- ref not allowed at top level -->
<!ATTLIST %element;
            name               %NCName;               #IMPLIED
            id                 ID                     #IMPLIED
            ref                %QName;                #IMPLIED
            type               %QName;                #IMPLIED
            minOccurs          %nonNegativeInteger;   #IMPLIED
            maxOccurs          CDATA                  #IMPLIED
            nillable           %boolean;              #IMPLIED
            substitutionGroup  %QName;                #IMPLIED
            abstract           %boolean;              #IMPLIED
            final              %complexDerivationSet; #IMPLIED
            block              %blockSet;             #IMPLIED
            default            CDATA                  #IMPLIED
            fixed              CDATA                  #IMPLIED
            form               %formValues;           #IMPLIED
            %elementAttrs;>
<!-- type and ref are mutually exclusive.
     name and ref are mutually exclusive, one is required -->
<!-- In the absence of type AND ref, type defaults to type of
     substitutionGroup, if any, else the ur-type, i.e. unconstrained -->
<!-- default and fixed are mutually exclusive -->



________________________________

From: general-bounces at openid.net on behalf of Ben Laurie
Sent: Sat 8/11/2007 10:33 AM
To: OpenID General
Subject: [OpenID] OpenID signatures



The proposal to implement OAuth as an OpenID extension made me look at
the spec again.

I have a nit.

http://openid.net/specs/openid-authentication-2_0-11.html#kvform says:

"A key or value MUST NOT contain a newline and a key also MUST NOT
contain a colon."

More information about the general mailing list