Marius Scurtescu wrote: > On 16-Oct-06, at 2:44 PM, Josh Hoyt wrote: > > >>On 10/16/06, Recordon, David <[EMAIL PROTECTED]> wrote: >> >>>6.1 Signed List Algorithm >> >>[...] >> >>>I'm thinking it would make sense to >>>change this algorithm to first alphabetically sort the arguments >>>to make >>>it very clear in terms of ordering. >> >>I think it's a good idea to say that the signed list MUST be generated >>by the IdP in that order. Then signature *verification* is compatible >>with OpenID 1's algorithm. Unless there is objection, I'll do this. > > > Sorting of unicode strings while not terrible hard it is not trivial > either. Why bother? The list of signed fields gives an explicit > ordering, this is good enough IMO. > > Why would be an alphabetically sorted list better? >
I agree. What's the security benefit of forcing the protocol to use a specific order? The signed list has an inherent order that can change should attacks come to light in the future. Why remove that possibility? Hans _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
