Request for comments: Sorting fields in signature generation

Marius Scurtescu marius at
Wed Sep 27 18:27:38 UTC 2006

On 27-Sep-06, at 10:09 AM, Josh Hoyt wrote:

> On 9/27/06, Barry Ferg <barry at> wrote:
>> For that matter, isn't having implementation issues in certain
>> restrictive development environments drive the specification kind of
>> like the tail wagging the dog?
> I am attempting to be pragmatic. Why add something to the
> specification that makes it harder to implement, especially in some of
> the most common deployment environments? I mentioned Rails and PHP. We
> (JanRain) have library implementations of OpenID 1.1 for Python, PHP,
> Ruby, Java, .Net, and Perl. The PHP and Ruby libraries are by far the
> most popular of those libraries. I think this is justification for
> taking them into account when deciding whether to add a new
> complication to the specification. Allowing multiple parameters with
> the same name is *a new complication.*

I agree that this is a new complication and that you should always  
keep things as simple as possible. But not simpler than that. The  
main argument seems to be around what is too simple.

Just to clarify and to make sure we are on the same page here:

1. Both PHP and Rails are using multi value parameters, they are  
quite common.

2. PHP and Rails, and probably other frameworks are using a special  
syntax for multi value parameters (parameter names ending with []).

3. Support for the generic multi value parameters seems possible in  
PHP (and I assume Rails as well). While this is not trivial it does  
not seem terrible hard either.

4. The core spec can stick with single value parameters.

5. Only IdPs will need to deal with parsing multi value parameters,  
and requirements for IdPs are higher anyhow.

6. Simple RPs that cannot handle generic multi value parameters will  
not use them and everything is fine.

7. The only bigger change in the spec is regarding sorting parameters  
for signing. Pretty simple IMHO.

Also, please keep in mind that we are not asking for some fancy new  
technology or feature, just conformance with a very basic an wide  
spread convention of handling parameters in HTTP/HTML.


More information about the specs mailing list