[OpenID] Direct Verification Conformance (formerly: Re: RPX (as used by openid.net) does not try Direct Verification)

Shane B Weeden sweeden at au1.ibm.com
Tue Dec 1 03:47:42 UTC 2009 

Actually the point you make below is interesting when you look at
deployment profiles like ICAM
(http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf).

In section 3.2 Association Handles it states:

   The RP MUST form an association with the IdP and include the association
      handle in the authentication request.

Does this imply then that direct verification is not permitted?

If an OP was to still accept direct verification, does that make it
non-compliant with ICAM?

If yes, then I suspect it also follows that an ICAM-compliant OP is non
OpenID 2.0 compliant :)





|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |"Manger, James H" <James.H.Manger at team.telstra.com>                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |"Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>, "openid-general at lists.openid.net" <openid-general at lists.openid.net>                         |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |01/12/2009 01:28 PM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |[OpenID] RPX (as used by openid.net) does not try Direct    Verification                                                                          |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Sent by:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |openid-general-bounces at lists.openid.net                                                                                                           |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|





Eddy,

> Unfortunately I can not vote because the authentication of OpenID doesn't
accept the StartSSL OP for some reason

I couldn’t vote either as openid.net no longer accepted the OP I used
previously. Presumably the change occurred when openid.net switch OpenID
implementations — it now uses RPX.
RPX looks pretty good, but I don’t think it works with OPs that expect the
RP to use Direct Verification, ie an OP that does not establish
associations.
Does the StartSSL OP expect direct verification to be used?

I eventually did vote — using the OpenID delegation feature to point by
OpenID URI to another OP (a very nice feature of OpenID).

Establishing an associations is optional in an OpenID 2.0 flow. It is
RECOMMENDED that an RP form an association if possible.
I don’t think the OpenID 2.0 spec says an OP MUST support associations. The
spec says if an RP “does not have an association stored, it MUST request
that the OP verify the signature via Direct Verification”, but it also says
“if a Relying Party is incapable of creating or storing associations,
Section 11.4.2 (Verifying Directly with the OpenID Provider)  provides an
alternate verification mechanism”. Perhaps an RP might think it complies
with OpenID 2.0 once it is capable of using associations, without
supporting direct verification. [a point to clarify in OpenID v.next]


James Manger_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list