<HTML><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText9745 dir=ltr>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV dir=ltr><FONT color=#000000 size=2>"URL Identifiers MUST then be further normalized by both following redirects when retrieving their content and finally applying the rules in Section 6 of <A class=info href="http://openid.net/specs/openid-authentication-2_0.html#RFC3986" target=_blank><STRONG><FONT color=#990000>[RFC3986]<SPAN> (</SPAN><SPAN class=info>Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic Syntax,” .</SPAN><SPAN>)</SPAN></FONT></STRONG></A> to the final destination URL. This final URL MUST be noted by the Relying Party as the Claimed Identifier and be used when <A class=info href="http://openid.net/specs/openid-authentication-2_0.html#requesting_authentication" target=_blank><STRONG><FONT color=#990000>requesting authentication<SPAN> (</SPAN><SPAN class=info>Requesting Authentication</SPAN><SPAN>)</SPAN></FONT></STRONG></A>. "</FONT></DIV></BLOCKQUOTE>
<DIV dir=ltr><FONT size=2></FONT> </DIV>
<DIV dir=ltr><FONT size=2>Hmm. I tend to agree with you: its that term "final destination URL". </FONT></DIV>
<DIV dir=ltr><FONT size=2></FONT><FONT size=2></FONT> </DIV>
<DIV dir=ltr><FONT size=2>I think a "final URL" is a "final destination URL" that has been normalized using 3986. The final URL is of course a function of the URL Identifier, and gets cast as a Claimed Identifier.</FONT></DIV>
<DIV dir=ltr>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Noah Slater<BR><B>Sent:</B> Tue 3/4/2008 10:30 AM<BR><B>To:</B> Peter Williams<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] Problems with OpenID and TAG httpRange-14<BR></FONT><BR></DIV></DIV>
<DIV><PRE style="WORD-WRAP: break-word">On Tue, Mar 04, 2008 at 10:25:15AM -0800, Peter Williams wrote:
> I only normalized the user input.
The OpenID spec says:
Consumers MUST canonicalize the Identifier URL, following redirects, and note
the final URL. The final, canonicalized URL is the End User's Identifier.
I think this clearly indicates that the URI must be canonicalised to "/about/".
> My SP openid engine does not know how many redirects (if any) are followed when
> locating the HTML page.
No, but according to the spec you must replace the initial URI with the final one.
As I pointed out, though I'm not sure the references got through the HTTP RFC
and the TAG httpRange-14 findings clearly show that is is incorrect behaviour.
--
Noah Slater <http://bytesexual.org/>
</PRE></DIV></BODY></HTML>