[OpenID] URL normalization and capitalization

Andrew Arnott andrewarnott at gmail.com
Tue Aug 5 06:18:35 UTC 2008 

Has anyone here read my blog post on this very subject?
The case for case sensitive OpenID URL
checking<http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html>In
short: OpenID *must not* forbid RPs to differentiate based on
capitalization.  In fact, my argument in my blog post expands on the notion
that RPs* must* differentiate on capitalization (in the path segment of the
URI).  Even if a future version of the OpenID spec required OPs to not
distribute multiple Identifiers that differed only in casing, since a
Claimed Identifier can be hosted by any server on any site anywhere that has
no implementation of OpenID whatever (that's what delegation is all about,
right?) including on many sites that default to case sensitivity, it is a
major security hole to be anything other than case sensitive.

But because that's such a bad usability story for users, I have my follow-up
post:
How to make your OpenID Provider case
insensitive<http://blog.nerdbank.net/2008/07/how-to-make-your-openid-provider-case.html>That
makes it an OP opt-in for case insensitivity, where the choice belongs.  And
if an individual user sets up his/her own Claimed Identifier using
delegation, it will be up to that individual whether to make that identifier
case sensitive or not by the server configuration he/she uses.  The trick in
my second referenced post explains how RPs can be case sensitive, but how
OPs and delegating Claimed IDs can 'change' that to be case insensitive on
any RP the individual(s) log into.

It's the best of both worlds.  Read the posts, think it through, and get
back to me. :)

On Mon, Aug 4, 2008 at 5:52 PM, SitG Admin
<sysadmin at shadowsinthegarden.com>wrote:

> Do the specs currently forbid RP's from differentiating between URI's
> based on capitalization? If not, I'd like to propose that they do,
> for two reasons;
>
> 1) Flexibility of implementation: not having to avoid a particular
> (favored/usual) programming method catering to the limitations of the
> platform or (database) software.
>
> 2) Certainty of identity; not letting NorMalUser into NormalUser's
> account when their Identity-hosting site doesn't see them as
> conflicting, and being able to recognize ShadowsInTheGarden.com as
> the same user as shadowsinthegarden.com by translating the string to
> all upper (or lower) caps for comparison :)
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080804/f8e90cf5/attachment-0002.htm>

More information about the general mailing list