[OpenID] OpenID 2.0 spec security improvement suggestion

Andrew Arnott andrewarnott at gmail.com
Thu Mar 12 02:41:49 UTC 2009 

Good idea, Martin.  I wonder how you'd feel about standardizing on periods
rather than underscores?  I know you mentioned PHP turns them into
underscores, but that makes it meaningless to PHP which one we standardize
on, and the rest of the language world tends to use periods for namespacing
rather than underscores.
OAuth uses underscores, and I think it's newer, perhaps this was their
reasoning.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Wed, Mar 11, 2009 at 6:29 PM, Martin Atkins <mart at degeneration.co.uk>wrote:

> Allen Tom wrote:
>
>> I'm a little rusty on query parameter syntax, but isn't
>>
>> key=value1&key=value2&key=value3
>>
>> equivalent to
>>
>> key=value1,value2,value3
>>
>> Should the spec address this case?
>>
>>
> I'm pretty sure that this is not standard, but may be the behavior of a
> particular implementation.
>
> The meta-problem here is that the query string was never really intended
> for being a transport for standard protocols, but was rather intended to be
> an application-local concern. This is not the first time we've run into
> grief where we've assumed particular behavior in parsing the query string
> that is not compatible with the behavior of one or more frameworks.
>
> For example, PHP turns periods in key names into underscores, so
> openid.mode is accessed as openid_mode. Fortunately the only ill effect this
> has is that in most PHP OpenID implementations you can send openid_mode in
> the query string and it'll work. :)
>
> You also can't access multiple values of the same key in PHP unless the key
> name has [] at the end.
>
> It might be of more general use for someone to research the various nutty
> behaviors of different frameworks and try to document a safe subset that
> protocols like OpenID and OAuth can use. Hopefully that will also encourage
> future frameworks to be compatible with what's documented. Here are three
> constraints to be starting with:
>
> * Only latin letters, roman digits and underscores in keys.
> * Only one instance of each key.
> * Don't use commas unless you're making a list.
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090311/a55de927/attachment-0002.htm>

More information about the general mailing list