OpenID Attribute Exchange Protocol questions
Dick Hardt
dick at sxip.com
Tue Jul 10 18:30:01 UTC 2007
On 10-Jul-07, at 10:52 AM, Johnny Bufu wrote:
>
> On 10-Jul-07, at 8:43 AM, James Henstridge wrote:
>
>> On 10/07/07, Dick Hardt <dick at sxip.com> wrote:
>>> > Given that there doesn't seem to be any way to recover from this
>>> > situation, it seems like private associations are the only sane
>>> option
>>> > for unsolicited responses.
>>>
>>> An update message would require direct verification and not use an
>>> association. Associations are set by the RP, and in this case,
>>> the OP
>>> is initiating the conversation. I might be missing something, but I
>>> don't see how you can reliably use an association.
>>
>> That was the conclusion that I came to.
>>
>> I was replying to Johnny's statement that the OP knows the expiry
>> time
>> of the association handles it stores so could use a previously
>> negotiated handle in the unsolicited response.
>>
>> I think it would be good to include a statement to this effect in the
>> specification so that implementers don't have to work this out for
>> themselves (and maybe get it wrong).
>
>
> Looks like it's already in the spec, in section 10, Responding to
> Authentication Requests:
>
>> If no association handle is specified, the OP SHOULD create a
>> private association for signing the response. The OP MUST store
>> this association and MUST respond to later requests to check the
>> signature of the response via Direct Verification.
>
> http://openid.net/specs/openid-
> authentication-2_0-11.html#responding_to_authentication
That does not explain why no association handle was specified. I
think adding language to explain that an OP may initiate a
conversation and the message would be verified by Direct Verification
as no association is available.
-- Dick
More information about the specs
mailing list