[OpenID] RPX (as used by openid.net) does not try Direct Verification

[Manger, James H]

Eddy,



> Unfortunately I can not vote because the authentication of OpenID doesn't accept the StartSSL OP for some reason



I couldn’t vote either as openid.net no longer accepted the OP I used previously. Presumably the change occurred when openid.net switch OpenID implementations — it now uses RPX.

RPX looks pretty good, but I don’t think it works with OPs that expect the RP to use Direct Verification<http://openid.net/specs/openid-authentication-2_0.html#check_auth>, ie an OP that does not establish associations.

Does the StartSSL OP expect direct verification to be used?



I eventually did vote — using the OpenID delegation feature to point by OpenID URI to another OP (a very nice feature of OpenID).



Establishing an associations is optional in an OpenID 2.0 flow. It is RECOMMENDED that an RP form an association if possible.

I don’t think the OpenID 2.0 spec says an OP MUST support associations. The spec says if an RP “does not have an association stored, it MUST request that the OP verify the signature via Direct Verification”, but it also says “if a Relying Party is incapable of creating or storing associations, Section 11.4.2 (Verifying Directly with the OpenID Provider)  provides an alternate verification mechanism”. Perhaps an RP might think it complies with OpenID 2.0 once it is capable of using associations, without supporting direct verification. [a point to clarify in OpenID v.next]





James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091201/52ec04bb/attachment-0001.htm>