Request for comments: Sorting fields in signature generation
johnny at sxip.com
Wed Sep 27 17:32:11 UTC 2006
On 26-Sep-06, at 4:48 PM, Josh Hoyt wrote:
> No one has written a proposal for pass-through arguments and it's not
> in any specification, so it's hard to answer your objection. If
> someone were to propose adding pass-through parameters to the
> specification, I would argue that:
Section 5.2 of draft 9 seems to imply, at least, that pass-through
parameters are allowed, and specifies how the parties involved in the
transaction should handle the openid / non-openid parameters.
> a) Including the pass-through arguments in the OpenID signature is not
> necessary (or constructive!)
That may be up to the RP to decide; if it decides that it needs to
trust such parameters included in an indirect message, by not
allowing it to use the already existing openid mechanism would only
add complexity that can be avoided.
> b) It is quite reasonable to restrict them to only one value per
> parameter name.
It would also be reasonable to place the restriction only on core
openid parameters, and leave the possibility for them for extensions
and pass-through parameters.
More information about the specs