[OpenID] OpenID 2.0 spec security improvement suggestion
Allen Tom
atom at yahoo-inc.com
Wed Mar 11 20:57:48 UTC 2009
I'm a little rusty on query parameter syntax, but isn't
key=value1&key=value2&key=value3
equivalent to
key=value1,value2,value3
Should the spec address this case?
Allen
Breno de Medeiros wrote:
>
>
>
> What if they appear a fewer number of times?
>
> The correct language is that the set of parameter assignments "a=b",
> where 'a' is the key and 'b' is the value, that appear in the HTTP
> request the RP received, and that are not OpenID parameters, should be
> identical to the set of assignments present in the query part of the
> return_to URL in the authentication response.
>
More information about the general
mailing list