[OpenID] clarification on openid.signed contents / duplicates
Bill Shupp
hostmaster at shupp.org
Tue Jul 28 00:10:09 UTC 2009
On Jul 27, 2009, at 5:06 PM, Andrew Arnott wrote:
> Curious what the behavior would be in this case? Do you verify the
> signature by actually injecting the KVF with two name:value pairs,
> or do you ignore all but the first appearance of a parameter?
>
> Since it's not spec'd out that you can have duplicates in the list,
> I'd say it's wrong. Particularly in light of the above ambiguity.
The OP agreed it's wrong and is fixing. But yeah, to match the
signature, the KVF must have two identical lines in it. My library
would ignore it, and my signature would not match. JanRain's,
however, included the duplicate and the signatures would match. I
agree that there should not be duplicates in openid.signed, but just
wanted to see if others interpreted the spec differently.
Regards,
Bill
More information about the general
mailing list