[OpenID] Problems with OpenID and TAG httpRange-14

John Kemp john at jkemp.net
Tue Mar 4 20:07:56 UTC 2008 

Noah Slater wrote:
> On Tue, Mar 04, 2008 at 02:09:49PM -0500, John Kemp wrote:
>> I don't think it's incorrect to use the final, canonical URI as an
>> identifier for the OpenID user.
> 
> RFC 2526 disagrees with you:
> 
>   The response to the request can be found under a different URI and
>   SHOULD be retrieved using a GET method on that resource. This method
>   exists primarily to allow the output of a POST-activated script to
>   redirect the user agent to a selected resource. THE NEW URI IS NOT A
>   SUBSTITUTE REFERENCE FOR THE ORIGINALLY REQUESTED RESOURCE.

Indeed.

> 
> Also, I disagree your use of the word canonical, it is only canonical insofar
> as it is a misinterpretation of HTTP 1.1 redirection.

It's considered (by OpenID) a canonical identifier for the user (which 
has nothing in particular to do with it being a URL)

> 
>> And if the content of the related page is an XRDS document you got by
>> following redirects from the originally-provided identifier to the final
>> identifier, then it would seem to me that the content of that is at
>> least potentially cacheable - unlike any content you dereferenced from
>> the original identifier.
> 
> I'm not interested in the cachability of resources only the canonicalisation
> process that the OpenID specifcation requires being in contradiction to HTTP.

HTTP is a protocol for dereferencing URLs. Not a protocol for using them 
as identifiers for users. And, vice-versa, OpenID is a protocol for 
verifying an identifier (which happens to be a URL). It gets messy when 
they are combined, I agree, but I'm still not clear on exactly what your 
issue is.

> 
>> A possible problem *might be* that the user might see content from a
>> different location than the location shown in the address bar of their
>> browser. That seems like a general problem with using redirects for
>> protocols like this, and isn't solely linked to the "following
>> redirects" part of creating a canonical OpenID.
> 
> No, I don't mind people visiting <http://bytesexual.org/> and being visibly
> redirected to <http://bytesexual.org/about/> but I do mind it when OpenID agents
> incorrectly canonicalise and publish an incorrect identity.

Can you explain specifically what you mean by "incorrectly canonicalize 
and publish" in this case? What URI do you *want* to use as your OpenID? 
What is your OpenID provider/RP doing that illustrates this issue?

> 
>> Where do you see problems?
> 
> I see problems when OpenID does not allow me to assert a URI as my identy.

How does OpenID do that?

- johnk

> 
> OpenID should update the spec so that canonicalisation stops at a 303 redirect.
> 
> I think Sam Ruby would like the same to apply to 302 but that is seperate.
> 
> Thanks,
> 
> --
> Noah Slater <http://bytesexual.org/>

More information about the general mailing list