OpenID Attribute Exchange Protocol questions
James Henstridge
james at jamesh.id.au
Tue Jul 10 15:43:20 UTC 2007
On 10/07/07, Dick Hardt <dick at sxip.com> wrote:
> > Given that there doesn't seem to be any way to recover from this
> > situation, it seems like private associations are the only sane option
> > for unsolicited responses.
>
> An update message would require direct verification and not use an
> association. Associations are set by the RP, and in this case, the OP
> is initiating the conversation. I might be missing something, but I
> don't see how you can reliably use an association.
That was the conclusion that I came to.
I was replying to Johnny's statement that the OP knows the expiry time
of the association handles it stores so could use a previously
negotiated handle in the unsolicited response.
I think it would be good to include a statement to this effect in the
specification so that implementers don't have to work this out for
themselves (and maybe get it wrong).
James.
More information about the specs
mailing list