[OpenID] Problems with OpenID and TAG httpRange-14
Noah Slater
nslater at bytesexual.org
Tue Mar 4 09:08:19 PST 2008
Hello,
There are some issues with the OpenID specification and how it interoperates
with URI redirects according to RFC2616 and httpRange-14.
To use an example, take the following (work safe) URI:
http://bytesexual.org/
This returns a 303 redirect to:
http://bytesexual.org/about/
This returns a 200 response with the following HTML link elements:
<link rel="openid.server" href="http://openid.claimid.com/server">
<link rel="openid.delegate" href="http://openid.claimid.com/nslater">
The <http://bytesexual.org/> URI works as an OpenID by the specification but the
specificaion also instructs agents to "[canonicalize]" the URI by following the
the 303 redirect and so the OpenID is changed to <http://bytesexual.org/about/>.
I am arguing that this is broken according to RFC2616 and the recent findings by
the W3C Technical Architecture Group (TAG) on httpRange-14.
More information about the general
mailing list