Request for comments: Sorting fields in signature generation

Josh Hoyt josh at
Wed Sep 27 21:47:11 UTC 2006

On 9/27/06, Johnny Bufu <johnny at> wrote:
> > Huh? I don't see anything in that section about a requirement to echo
> > back parameters.
> Not a requirement, but I read the second paragraph as implying they
> can/could be used.

An IdP is not forbidden from echoing back any unknown parameters it
got, but no OpenID implementation has ever done this, to my knowledge.
I expect that unless the specification said otherwise, applications
would ignore unexpected parameters. As far as I can tell, this is
standard behavior on the Web.

> If that weren't so, then why is there the "openid." prefix to the
> parameters in some of the messages?

The reason that the parameters have "openid." at the beginning is so
that it is clear that they are part of the OpenID protocol message and
not intended to be operated on by the application that is processing
the OpenID request. Basically, to reduce the likelihood of name
collisions with parameters that the application uses.


More information about the specs mailing list