[OpenID] URL normalization and capitalization

Peter Williams pwilliams at rapattoni.com
Tue Aug 5 04:41:09 UTC 2008 

I think I take back my notion; having read the spec.

A ClaimedID is an Identifier - which is defined as an http/https URI. Its just the normalized URI that someone types.

(In XRI land, its otherwise. But we can ignore that, for now.)

I think my blurb was related to the Op-Local ID. It may be best if I just shut up, at this point.

-----Original Message-----
From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
Sent: Monday, August 04, 2008 9:33 PM
To: Peter Williams
Cc: general at openid.net
Subject: RE: [OpenID] URL normalization and capitalization

>If claimedID is essentially a byte array, then, obviously, any two
>values (with identical encodings) are indeed different ...if any one
>bit is different. It is intended to act as a "primary key", after
>all.

So, just how many different possible URI's *can* we have, "in the wild"?
http://www.boutell.com/newfaq/misc/urllength.html
Let's assume that the servers involved are all running Microsoft's
IIS, this lets us have sixteen thousand three hundred and eighty-four
characters. Being generous, we'll allow that eight of these are in
use for the prefix (https://) and two hundred fifty-six for the
domain portion, plus one final character for the leading slash in the
pathnme. These add up to 265 bytes that are effectively reserved, in
that toggling their capitalization (assuming a character range of
a-z) won't affect anything. If every OTHER byte *is* such a letter,
the possibilities number around 2 to the power of 3,119.

It would take 390 bytes just to store this value in binary; IPv6, by
comparison, only specifies a number of users contained within 2 to
the power of 48, taking 6 bytes to store. So, in other words, I can
discretely identify THREE THOUSAND FIVE HUNDRED AND TEN times as many
individual users as could possibly exist within the entire address
space of IPv6, just by varying the capitalization on one pathname. I
think server limits will change before we realistically see that many
users ;)

Considering what's possible with pathnames that vary by more than
just capitalization, and how OpenID is supposed to be a
"decentralized" identity system (i.e., it's very likely that URI's
will vary by domain as well as path), do we really need to keep such
an option available?

-Shade

More information about the general mailing list