[OpenID] clarification on openid.signed contents / duplicates

[Andrew Arnott]

Curious what the behavior would be in this case?  Do you verify the
signature by actually injecting the KVF with two name:value pairs, or do you
ignore all but the first appearance of a parameter?
Since it's not spec'd out that you can have duplicates in the list, I'd say
it's wrong.  Particularly in  light of the above ambiguity.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


2009/7/27 Bill Shupp <hostmaster at shupp.org>

> Can openid.signed have duplicate entries?  I found this to be the case with
> an OP recently, and the library I'm using (php via PEAR) did not allow for
> this, so the signature checking would fail.  However, the JanRain php
> library does allow for this.
>
> Section 4.1 of OpenID 2.0 specifies that Protocol Messages "MUST NOT
> contain multiple parameters with the same name.".  However, this is just KV
> form of the openid.signed items.  Is this still considered a protocol
> message, and therefor not allow duplicates?  It's not clear to me, so I
> thought I'd ping the list for clarification before leaving in the workaround
> I added to support this case.
>
> Thanks,
>
> Bill Shupp
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090727/b7e39c28/attachment.htm>