Curious what the behavior would be in this case? Do you verify the signature by actually injecting the KVF with two name:value pairs, or do you ignore all but the first appearance of a parameter?<div><br></div><div>Since it's not spec'd out that you can have duplicates in the list, I'd say it's wrong. Particularly in light of the above ambiguity.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/7/27 Bill Shupp <span dir="ltr"><<a href="mailto:hostmaster@shupp.org">hostmaster@shupp.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Can openid.signed have duplicate entries? I found this to be the case with an OP recently, and the library I'm using (php via PEAR) did not allow for this, so the signature checking would fail. However, the JanRain php library does allow for this.<br>
<br>
Section 4.1 of OpenID 2.0 specifies that Protocol Messages "MUST NOT contain multiple parameters with the same name.". However, this is just KV form of the openid.signed items. Is this still considered a protocol message, and therefor not allow duplicates? It's not clear to me, so I thought I'd ping the list for clarification before leaving in the workaround I added to support this case.<br>
<br>
Thanks,<br><font color="#888888">
<br>
Bill Shupp<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</font></blockquote></div><br></div>