Anonymous user   

Draft-029

From Yadis

Jump to: navigation, search
[edit]

Motivation

If a Relying Party receives a URL1 character string as a claimed identity, but the verified identity is URL2, under which circumstances should the Relying Party accept URL2 as equivalent to URL1?

Examples:

  • Do http://example.com/joe and http://example.com/joe/ refer to the same identity?
  • Do http://example.com/joe and http://example.com:80/joe refer to the same identity?
  • Do http://example.com/joe and https://example.com/joe refer to the same identity?

Different Yadis / OpenID / LID implementations have made different assumptions about some of these cases, which has already caused some interoperability problems (informally resolved since). The objective of this proposal is to clarify the rules.

This is not a change proposal for the Yadis 1.0 specification. Instead, we should consider it a separate proposal that may or may not be incorporated into a Yadis 1.1 spec in the future, if there will be such a thing.

I also realize that some provisions in this proposal may be controversial. If so, the Discussion page is your friend ;-)

[edit]

Algorithm

To determine whether or not URL1 and URL2 refer to the same identity, URL1 and URL2 are run through the following canonization algorithm. If and only if canon(URL1) and canon(URL2) are identical character strings, a relying party is allowed to consider them the same identity.

This algorithm only covers URLs with fully-qualified domain names in the host component; identity URLs whose host components are not fully-qualified are generally discouraged, and out of scope for this algorithm. Also, identity URLs with more than one query parameter (e.g. http://example.com/foo?a=b&c=d) are strongly discouraged and out of scope for this algorithm.)

  1. if the URL is internationalized (i.e. an IRI), replace it with its URI form. E.g. http://www.atemschutzunfälle.de/ becomes http://www.xn--atemschutzunflle-7nb.de/
  2. if the protocol is https, replace the protocol with http.
  3. a URL that specifies port 80 or 443 (e.g. http://example.com:80/joe) will be converted to a URL that does not specify a port (e.g. http://example.com/joe).
  4. all characters in the host component are converted to lower case.
  5. all components of the path must be unescaped to the maximum extent possible, provided that no substring is unescaped more than once. For example, if a URL contained %41 as a character, this character needs to be replaced by its unescaped version A. However, if a URL contained %2541, it needs to be replaced by %41, NOT by A. Similarly, if a URL contained %20, for the purposes of comparison this caracter needs to be replaced by a space. If the URL's query component contains a +, it needs to be replaced by a space.
  6. any trailing slash is discarded. For example, the URL http://example.com/joe/ would be replaced by http://example.com/joe. This conversion is performed even for URLs that refer to the top resource on a host (e.g. http://example.com.) Note that this is only for comparison purposes.

If at the end of this algorithm, the resulting character strings are identical, the two URLs are identical for Yadis purposes.

Protocols that use the Yadis framework may assume additional equality rules. For example, a protocol may consider http://xri.net/=Example to be equivalent to http://xri.example.net/=Example for its own purposes, even if Yadis considers these two URLs to be different.