Brad Fitzpatrick wrote:
>
> Counter-argument: but OpenID 1.1 does have two parameters: one's just in
> the return_to URL and managed by the client library, arguably in its own
> ugly namespace (not IdP/RP managed, not "openid.", but something else...
> the Perl library uses "oic." or something). So then it's harder to
> document the correct behavior to people ("RPs should verify the mapping
> when you get a signature!") because the parameter names aren't consistent
> between RP clients.
>
Not specifying it gives RPs the freedom to put whatever handle they want
in the return_to, though. If they *are* able to maintain state, they
might have some arg like ?handle=1380a383198bcefd933, which is
completely opaque to everone except the RP.
I'd rather avoid specifying things we don't need to specify, since it
leaves more flexibility for implementors in an area where this
flexibility doesn't do any harm.
_______________________________________________
specs mailing list
[email protected]
http://openid.net/mailman/listinfo/specs
