<div dir="ltr">SitG said: make a hash of each claimed ID *and* final ID (since Yahoo will declare a different actual ID) for lookup.<br><br>SitG, I'm concerned about your terminology here. The Claimed Identifier is the canonical identifier, and the only ID that Yahoo! or any other OP asserts/declares. I don't know what this final ID is that you're talking about, or what this "different actual ID" is either. But there are a few IDs defined in the OpenID spec:<br>
<ul><li>User-supplied identifier: the actual string entered by the user, which may just be "<a href="http://yahoo.com">yahoo.com</a>"</li><li>Normalized identifier (7.2): applying some set rules to the user-supplied identifier, including adding scheme and following redirects, this may be: "<a href="http://www.yahoo.com">http://www.yahoo.com</a>"</li>
<li>Claimed Identifier: This is typically the normalized identifier if it is a URI. But the OP may add a #fragment to it in the assertion in which case <i>that</i> is the Claimed Identifier. And in the case of an XRI, the i-number is the claimedId.<br>
</li></ul><br><div class="gmail_quote">On Wed, Sep 3, 2008 at 8:28 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">>We are using the claimed identifier as a key in our database to<br>
>identify credentials for a user.<br>
<br>
</div>Ouch. This will make things confusing (and potentially a security<br>
risk) in the case of, for example, <a href="https://me.yahoo.com/" target="_blank">https://me.yahoo.com/</a> - I've been<br>
worrying over the same problem recently, and recommend borrowing an<br>
idea from MemCache: make a hash of each claimed ID *and* final ID<br>
(since Yahoo will declare a different actual ID) for lookup. This<br>
won't matter for collisions because you're just using the hash to<br>
save time that would otherwise be spent searching all those long text<br>
fields; if you get 5 results, you just check 5 entries^1 (with two<br>
fields apiece) for the full text. You can put a check in regular<br>
maintenance for lots of users with the same claimed ID but different<br>
final ID to detect users who are doing that kind of system.<br>
<br>
^1) If you get five HUNDRED results, it might be time to use a longer hash :)<br>
<div class="Ih2E3d"><br>
>However, it seems that some sites have virtually infinite number of<br>
>claimed identifiers for the same OP Local Id.<br>
<br>
</div>I remember this headache. OpenID follows the URL standard, so the<br>
user can vary capitalization when they type in their URI, and since<br>
this *may* be a different page on the server hosting their Identity,<br>
it's important to preserve case-sensitivity in keeping track of their<br>
identifier!<br>
<br>
I'm experimentally using this method for a sanity check: lower-case<br>
the claimed ID, lower-case the final ID, look for the claimed ID *in*<br>
the final ID, and if there's no match, worry. (The exact definition<br>
of "worry" is, in my case, is to complain and then promptly die -<br>
you'd probably want yours to be more sophisticated.)<br>
<br>
There was a thread last month (from the 3rd to the 5th) about "URI<br>
normalization and capitalization", I recommend that you look in the<br>
list archives and read that too.<br>
<br>
-Shade<br>
<div><div></div><div class="Wj3C7c">_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>