[OpenID] Announce: OpenID Authentication Draft 12 (finally)

Peter Williams pwilliams at rapattoni.com
Wed Aug 29 07:19:00 UTC 2007 

OpenID says strip fragments, applying "OpenID Normalization". OpenID
Normalization can be easily re-defined, as strip any terminating #.

OpenID then goes on to mandate one apply the RFC's normalization
hueristic(s).

"The fragment component is
   not subject to any scheme-based normalization; thus, two URIs that
   differ only by the suffix "#" are considered different regardless of
   the scheme."


With the draft#12 as is, one MUST keep the # upon applying the RFC
heuristics, as it is a distinguished char in the denotational URI.

Why do I care so much about a #?

Discovery in draft#12 a required security procedure - used when
verifying the "validity" of an Auth Response. In the cardspace spec, the
OpenID-normalized and then RFC normalized URI is used to produce a
claimed-identity. The discovery/denotational URI will to be computed
after the claimed-identity is positively asserted, note. 
Discovery is a test of validity of a corresponding AuthResponse: a test
that the AuthResponse speaks for the object denoted by the canonical
URI. That test is based on locating and testing for the security of
metadata. 


(This all nicely parallels X.500 secure name resolution, now. In the
DOD/NATO secure X.500 1992 Directory terms, if you complete a secure
ACSE bind, citing certs and completing strong authentication per X.509,
DO now check the claimed subject Name/DN exists in the DIT. (Do this
also for intendedRecipient DNs in the DAPToken and DSPToken, when doing
secure remote operations). Those Names/DNs need not have corresponding
DIB entries. Yes, you have always had to first "normalize" the Name
signals in the metadata (such as certs) to be a DistinguishedName.)


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Johnny Bufu
Sent: Wednesday, August 29, 2007 12:00 AM
To: Rowan Kerr
Cc: OpenID specs list; OpenID general list
Subject: Re: [OpenID] Announce: OpenID Authentication Draft 12 (finally)


On 28-Aug-07, at 8:05 PM, Rowan Kerr wrote:

> On 28-Aug-07, at 6:11 PM, Johnny Bufu wrote:
>> On 27-Aug-07, at 7:05 PM, Peter Williams wrote:
>>> A. fragment identifiers on user input are to be removed. Do not
>>> remove
>>> the separator.
>>
>> Good thing we didn't call it final just yet. In my mind the separator
>> was part of the fragment, but re-reading the URI RFC it clearly is
>> not and you are right.
>
> So, RFC3986 says the # should be left as part of the URL?
> Apache logs indicate that user agents (or apache) behave otherwise.

No, it just says that the '#' character is not part of the fragment.  
So we must specify in the OpenID spec that it is removed (when  
appropriate) along with the fragment.

I'll check in a patch for this.


Johnny


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list