<div dir="ltr">Has anyone here read my blog post on this very subject? <br><h3 class="post-title entry-title"><a href="http://blog.nerdbank.net/2008/07/case-for-case-sensitive-openid-url.html">The case for case sensitive OpenID URL checking</a></h3>
<h3 class="post-title entry-title"></h3>In short: OpenID <i>must not</i> forbid RPs to differentiate based on capitalization. In fact, my argument in my blog post expands on the notion that RPs<i> must</i> differentiate on capitalization (in the path segment of the URI). Even if a future version of the OpenID spec required OPs to not distribute multiple Identifiers that differed only in casing, since a Claimed Identifier can be hosted by any server on any site anywhere that has no implementation of OpenID whatever (that's what delegation is all about, right?) including on many sites that default to case sensitivity, it is a major security hole to be anything other than case sensitive.<br>
<br>But because that's such a bad usability story for users, I have my follow-up post:<br><h3 class="post-title entry-title"><a href="http://blog.nerdbank.net/2008/07/how-to-make-your-openid-provider-case.html">How to make your OpenID Provider case insensitive</a></h3>
That makes it an OP opt-in for case insensitivity, where the choice belongs. And if an individual user sets up his/her own Claimed Identifier using delegation, it will be up to that individual whether to make that identifier case sensitive or not by the server configuration he/she uses. The trick in my second referenced post explains how RPs can be case sensitive, but how OPs and delegating Claimed IDs can 'change' that to be case insensitive on any RP the individual(s) log into.<br>
<br>It's the best of both worlds. Read the posts, think it through, and get back to me. :)<br><br><div class="gmail_quote">On Mon, Aug 4, 2008 at 5:52 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Do the specs currently forbid RP's from differentiating between URI's<br>
based on capitalization? If not, I'd like to propose that they do,<br>
for two reasons;<br>
<br>
1) Flexibility of implementation: not having to avoid a particular<br>
(favored/usual) programming method catering to the limitations of the<br>
platform or (database) software.<br>
<br>
2) Certainty of identity; not letting NorMalUser into NormalUser's<br>
account when their Identity-hosting site doesn't see them as<br>
conflicting, and being able to recognize ShadowsInTheGarden.com as<br>
the same user as <a href="http://shadowsinthegarden.com" target="_blank">shadowsinthegarden.com</a> by translating the string to<br>
all upper (or lower) caps for comparison :)<br>
<br>
-Shade<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br></div>