[OpenID] Problems with OpenID and TAG httpRange-14
Noah Slater
nslater at bytesexual.org
Tue Mar 4 20:28:13 UTC 2008
> It's considered (by OpenID) a canonical identifier for the user (which
> has nothing in particular to do with it being a URL)
Well, considering that OpenID relies on being able to dereference URIs via HTTP
I would argue that the respective URI and HTTP RFCs are particularly important
when deciding upon the appropriate canonicalisation behaviour of OpenID agents.
> HTTP is a protocol for dereferencing URLs. Not a protocol for using them
> as identifiers for users.
No, but considering that OpenID is relying on the mechanics of HTTP it only
makes sense to properly abide by the semantics explicitly provides by the RFC.
More explictly, when HTTP says that 303 redirects should not be considered
replacement resources it is important for the OpenID specification to make
specific allowances for this when instructing agents how to canonicalise an
identity that is based upon the HTTP mechanics of dereference.
> It gets messy when they are combined, I agree, but I'm still not clear on
> exactly what your issue is.
My issue is that I cannot use any URI that 303 redirects to another resource as
an OpenID identity because the specification (by oversight) ignores an important
aspect of HTTP redirection mechanics in it's identity canonicalisation process.
> Can you explain specifically what you mean by "incorrectly canonicalize
> and publish" in this case? What URI do you *want* to use as your OpenID?
> What is your OpenID provider/RP doing that illustrates this issue?
I want to use <http://bytesexual.org/> as my OpenID identity.
When I use this identity with various OpenID enabled websites they follow the
OpenID specification and canonicalises this to <http://bytesexual.org/about/>.
When the website in question publishes this OpenID (perhaps making a reference
to me, for example blog comments) the URI used is the latter and not the former.
>> I see problems when OpenID does not allow me to assert a URI as my identy.
>
> How does OpenID do that?
I go to Example Blog and see an interesting article, I comment on it using my
<http://bytesexual.org/> OpenID and the blog software canonicalises and displays
my OpenID as <http://bytesexual.org/about/>.
I have been prevented from using a specific URI in this instance because the
OpenID specification ignores the semantics of the HTTP 303 redirecton.
Thanks,
--
Noah Slater <http://bytesexual.org/>
More information about the general
mailing list