Request for comments: Sorting fields in signature generation
josh at janrain.com
Tue Sep 26 23:13:19 UTC 2006
On 9/26/06, Barry Ferg <barry at sxip.com> wrote:
> The signature generation algorithm specifies that the fields to be
> signed be ordered in byte order form. It seems to be implied that
> the ordering is based on using the field names as sorting keys
I think the real topic of this discussion is whether or not multiple
parameters with the same name should be allowed by the specification.
I *strongly* prefer tightening the specification by *disallowing*
duplicate parameter names. PHP is one environment in which the
implementation will be problematic, but other common environments
(e.g. Rails) do not easily support this idiom. There is *no deployed
code* that depends on duplicated parameter names, and I'd like to keep
it that way. Keep it simple if possible.
I agree that the language in the specification should be clarified so
that the sort order is fully explicit. I would resolve this issue by
stating that the pairs must be sorted by key.
On another note:
> Pass-through (or "echo") parameters and potentially some OpenID
> extension parameters may include fields with multiple values in order
> to communicate arrays of data, etc.
Attribute exchange and other extensions can *easily* be designed not
to require multiple parameters with the same name.
Pass-through parameters are *not part of any OpenID specification.*
Even if they were, I don't think it would be too great of a
restriction to disallow duplicate parameter names.
More information about the specs