Request for comments: Sorting fields in signature generation-Call for votes

Granqvist, Hans hgranqvist at verisign.com
Fri Oct 6 10:24:41 PDT 2006 

Behavior needs to be specified before it can be recommended.

So the spec MUST specify how to deal with the multiple
parameters before it can set the use thereof as NOT 
RECOMMENDED. 

Hans


> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Recordon, David
> Sent: Wednesday, September 27, 2006 1:13 PM
> To: Josh Hoyt; Marius Scurtescu; Brad Fitzpatrick
> Cc: specs at openid.net
> Subject: RE: Request for comments: Sorting fields in 
> signature generation-Call for votes
> 
> I don't think multiple parameters with the same name should 
> be completely disallowed, rather that section 7.1 should 
> strongly discourage their use.  I agree that from the core 
> authentication standpoint they aren't needed today, though do 
> understand that in the future there may be a compelling use 
> case for them.  I believe the simplicity that is offered from 
> not supporting them out weighs the benefit of form handling 
> with existing forms.
> 
> So +1 to tightening up section 7.1, but -1 to it specifically 
> allowing multiple parameters with the same name.  I believe 
> the wording should be such that it is "strongly NOT 
> RECOMMENDED that extensions to OpenID Authentication utilize 
> GET or POST parameters with the same name".
> 
> Brad, thoughts?
> 
> --David 
> 
> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Josh Hoyt
> Sent: Wednesday, September 27, 2006 12:20 PM
> To: Marius Scurtescu
> Cc: specs at openid.net
> Subject: Re: Request for comments: Sorting fields in 
> signature generation -Call for votes
> 
> On 9/27/06, Marius Scurtescu <marius at sxip.com> wrote:
> > please keep in mind that we are not asking for some fancy new 
> > technology or feature, just conformance with a very basic an wide 
> > spread convention of handling parameters in HTTP/HTML.
> 
> As Kevin pointed out, we are not working on the HTTP/HTML 
> form processing specification. We are working on an 
> authentication protocol.
> Restricting the protocol to forbid multiple parameters with 
> the same name does not break conformance with anything.
> 
> I think that we have discussed the majority of the technical 
> issues regarding multiple parameters with the same name. I 
> could respond to your individual points, but I don't think 
> that would get us any closer to agreement.
> 
> Can we get +1/-1 on multiple parameters with the same name 
> from people without @sxip.com or @janrain.com e-mail addresses?
> 
> Clearly, we (JanRain) are -1.
> 
> Josh
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
>

More information about the specs mailing list