[OpenID] OpenID signatures
Peter Williams
pwilliams at rapattoni.com
Sat Aug 11 18:14:38 UTC 2007
SAML, via its use of xml-schema:ID has the same issue, of course. One of Google's SAML's responders was recently willing to insist that ID is well-formed - i.e. matches NCNAME, apparently.
When I looked at this ":" issue in the context of SAML, I had the following explanation - which one can dispute!
ID is a locally-scoped name, and shall not be used in the role reserved for URNs. When formalizing XMl-DSIG and SAML, one notes the designer's use of ID rather than URNs. This requires implementation of the scoping rules, by conforming secure implementations with complete enforcement logic.
Im going to guess that OPenID Auth 2.0 has a similar rationale, not that its explicitly stated in this type of work. Its obviously been closely re-worked, over OpenID Auth1.1.
Note below, how one denotes using different id-forms, in XML schema: Though an ID must match NCNAME, if is not ACTUALLY an NCNAME. Subtle difference, obviously; but one the specifier is calling out - at least in the case of SAML. Both obviously deny the colon char!
Peter.
<!-- an element is declared by either:
a name and a type (either nested or referenced via the type attribute)
or a ref to an existing element declaration -->
<!ELEMENT %element; ((%annotation;)?, (%complexType;| %simpleType;)?,
(%unique; | %key; | %keyref;)*)>
<!-- simpleType or complexType only if no type|ref attribute -->
<!-- ref not allowed at top level -->
<!ATTLIST %element;
name %NCName; #IMPLIED
id ID #IMPLIED
ref %QName; #IMPLIED
type %QName; #IMPLIED
minOccurs %nonNegativeInteger; #IMPLIED
maxOccurs CDATA #IMPLIED
nillable %boolean; #IMPLIED
substitutionGroup %QName; #IMPLIED
abstract %boolean; #IMPLIED
final %complexDerivationSet; #IMPLIED
block %blockSet; #IMPLIED
default CDATA #IMPLIED
fixed CDATA #IMPLIED
form %formValues; #IMPLIED
%elementAttrs;>
<!-- type and ref are mutually exclusive.
name and ref are mutually exclusive, one is required -->
<!-- In the absence of type AND ref, type defaults to type of
substitutionGroup, if any, else the ur-type, i.e. unconstrained -->
<!-- default and fixed are mutually exclusive -->
________________________________
From: general-bounces at openid.net on behalf of Ben Laurie
Sent: Sat 8/11/2007 10:33 AM
To: OpenID General
Subject: [OpenID] OpenID signatures
The proposal to implement OAuth as an OpenID extension made me look at
the spec again.
I have a nit.
http://openid.net/specs/openid-authentication-2_0-11.html#kvform says:
"A key or value MUST NOT contain a newline and a key also MUST NOT
contain a colon."
More information about the general
mailing list