OpenID Attribute Exchange Protocol questions

Dick Hardt dick at sxip.com
Tue Jul 10 15:53:59 UTC 2007


On 10-Jul-07, at 8:43 AM, James Henstridge wrote:

> On 10/07/07, Dick Hardt <dick at sxip.com> wrote:
>> > Given that there doesn't seem to be any way to recover from this
>> > situation, it seems like private associations are the only sane  
>> option
>> > for unsolicited responses.
>>
>> An update message would require direct verification and not use an
>> association. Associations are set by the RP, and in this case, the OP
>> is initiating the conversation. I might be missing something, but I
>> don't see how you can reliably use an association.
>
> That was the conclusion that I came to.
>
> I was replying to Johnny's statement that the OP knows the expiry time
> of the association handles it stores so could use a previously
> negotiated handle in the unsolicited response.
>
> I think it would be good to include a statement to this effect in the
> specification so that implementers don't have to work this out for
> themselves (and maybe get it wrong).

Agreed.




More information about the specs mailing list