[OpenID] OpenId Association Timeout Recommendations

Granqvist, Hans hgranqvist at verisign.com
Thu Feb 8 18:29:02 UTC 2007

> However, the spec seems to indicate that if SSL/TLS is used, 
> then Direct Verification is ok (Section 15.1.2, first line of 
> 2nd paragraph).  Do you agree?

In principle, yes, I do.  But SSL is such an ephemeral notion.
For instance, you can run SSL with NULL cipher suites so that 
traffic goes in the clear.

To me, it seems that a RP that knows how to properly set up 
and use SSL to verify the OP (with PKI trust processing) 
would probably want to equally properly OpenID-associate.

The original intent of DV was for usage scenarios ("ajax") 
where proper SSL is not normally nor easily available nor 


More information about the general mailing list