Request for comments: Sorting fields in signature generation

Josh Hoyt josh at
Wed Sep 27 17:04:22 UTC 2006

On 9/27/06, David Fuelling <sappenin at> wrote:
> Just for clarification -- if duplicate parameters of the same name are NOT
> allowed by the spec, would one still be able to encode multiple values in
> the same key/value pair?  Wouldn't this accomplish the same result as
> allowing duplicate key names?

OpenID already uses this mechanism. HMAC-SHA1 signatures include a
"signed" list, which is a single value containing a comma-separated
list (response to checkid_setup and checkid_immediate in [1],
sreg.required and sreg.optional in [2]).

This mechanism is simple, transparent and established. This is the
solution I prefer if fields in an OpenID message are multi-valued.



More information about the specs mailing list