[OpenID] URL normalization and capitalization

SitG Admin sysadmin at shadowsinthegarden.com
Tue Aug 5 08:29:51 UTC 2008 

>Has anyone here read my blog post on this very subject? 

Just did. I'd been starting to have second thoughts, in the same 
spirit as your posts but with a few differences, posted here for 
comparison:

>it is a major security hole to be anything other than case sensitive.

And even if a RP does manage to be case-insensitive, this may break 
when they switch server software or operating system.

>That makes it an OP opt-in for case insensitivity, where the choice belongs.

I was wondering more along the lines of a RP being able to 
communicate to the user "We don't discriminate between 
case-sensitivity here, check with your Identity host to see if this 
could be a problem.", but this places the burden on the user's AND 
host's shoulders.

>The trick in my second referenced post explains how RPs can be case sensitive,

I was hoping for a way to *not* (have to be) case sensitive, at first :)

>It's the best of both worlds.  Read the posts, think it through, and 
>get back to me. :)

My first thought was "The *choice* may belong to the OpenID Provider, 
but isn't it *important* to the Relying Party?" - because, after all, 
does it really matter whether SomeUser identifies uniquely to one 
site, SOMEuser identifies uniquely to another site, and someUSER 
identifies uniquely to a third? But then I remembered what Nat 
Sakimura had been saying about RP's communicating into the social 
network of the user, and then it gets confusing to have all these 
RP's trying to keep track of who's who.

My current thought is that the major problem isn't one a technical 
specification issue - it's a social engineering issue. Even if the 
*sites* all keep track, similarly-named URI's still play on the 
user's intuitive expectation that it doesn't make any difference. 
This effect, I think, will be the real issue in the future, as we 
migrate user's awareness into the realm of "URL as Identifier" - this 
would not be a bad spot to focus on user education.

So, while I was also thinking (up until just a few moments ago) that 
encouraging Identity-hosting sites to be case insensitive, thus 
discouraging the problem, I now think that we should go mad with it. 
Enable case discrimination all over the place and give one another 
similar names! Show, not tell, users.

That was thought #3. Here's number 4: number 3 was a stupid idea, as 
it would mainly serve to irritate the users. Ignore number three :)

-Shade

More information about the general mailing list