On 9/26/06, Barry Ferg <[EMAIL PROTECTED]> wrote: > The signature generation algorithm specifies that the fields to be > signed be ordered in byte order form. It seems to be implied that > the ordering is based on using the field names as sorting keys
I think the real topic of this discussion is whether or not multiple parameters with the same name should be allowed by the specification. I *strongly* prefer tightening the specification by *disallowing* duplicate parameter names. PHP is one environment in which the implementation will be problematic, but other common environments (e.g. Rails) do not easily support this idiom. There is *no deployed code* that depends on duplicated parameter names, and I'd like to keep it that way. Keep it simple if possible. I agree that the language in the specification should be clarified so that the sort order is fully explicit. I would resolve this issue by stating that the pairs must be sorted by key. On another note: > Pass-through (or "echo") parameters and potentially some OpenID > extension parameters may include fields with multiple values in order > to communicate arrays of data, etc. Attribute exchange and other extensions can *easily* be designed not to require multiple parameters with the same name. Pass-through parameters are *not part of any OpenID specification.* Even if they were, I don't think it would be too great of a restriction to disallow duplicate parameter names. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs