Request for comments: Sorting fields in signature generation

Johnny Bufu johnny at sxip.com
Wed Sep 27 17:32:11 UTC 2006


On 26-Sep-06, at 4:48 PM, Josh Hoyt wrote:
> No one has written a proposal for pass-through arguments and it's not
> in any specification, so it's hard to answer your objection. If
> someone were to propose adding pass-through parameters to the
> specification, I would argue that:

Section 5.2 of draft 9 seems to imply, at least, that pass-through  
parameters are allowed, and specifies how the parties involved in the  
transaction should handle the openid / non-openid parameters.

> a) Including the pass-through arguments in the OpenID signature is not
> necessary (or constructive!)

That may be up to the RP to decide; if it decides that it needs to  
trust such parameters included in an indirect message, by not  
allowing it to use the already existing openid mechanism would only  
add complexity that can be avoided.

> b) It is quite reasonable to restrict them to only one value per  
> parameter name.

It would also be reasonable to place the restriction only on core  
openid parameters, and leave the possibility for them for extensions  
and pass-through parameters.

Johnny



More information about the specs mailing list