[OpenID] Direct Verification Conformance (formerly: Re: RPX (as used by openid.net) does not try Direct Verification)

Andrew Arnott andrewarnott at gmail.com
Tue Dec 1 04:00:14 UTC 2009 

Direct verification is still allowed in the ICAM spec. Associations that
expire on the OP before the RP removes them still result in direct
verification being performed.  Also, unsolicited assertions are allowed in
the ICAM spec, which of course requires direct verification.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Mon, Nov 30, 2009 at 7:47 PM, Shane B Weeden <sweeden at au1.ibm.com> wrote:

> Actually the point you make below is interesting when you look at
> deployment profiles like ICAM
> (http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf).
>
> In section 3.2 Association Handles it states:
>
>   The RP MUST form an association with the IdP and include the association
>      handle in the authentication request.
>
> Does this imply then that direct verification is not permitted?
>
> If an OP was to still accept direct verification, does that make it
> non-compliant with ICAM?
>
> If yes, then I suspect it also follows that an ICAM-compliant OP is non
> OpenID 2.0 compliant :)
>
>
>
>
>
> |------------>
> | From:      |
> |------------>
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>  |"Manger, James H" <James.H.Manger at team.telstra.com>
>                                                                           |
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | To:        |
> |------------>
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>  |"Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>, "
> openid-general at lists.openid.net" <openid-general at lists.openid.net>
>                 |
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Date:      |
> |------------>
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>  |01/12/2009 01:28 PM
>                                                                         |
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Subject:   |
> |------------>
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>  |[OpenID] RPX (as used by openid.net) does not try Direct    Verification
>                                                                          |
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Sent by:   |
> |------------>
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>  |openid-general-bounces at lists.openid.net
>                                                                           |
>
>  >--------------------------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>
> Eddy,
>
> > Unfortunately I can not vote because the authentication of OpenID doesn't
> accept the StartSSL OP for some reason
>
> I couldn’t vote either as openid.net no longer accepted the OP I used
> previously. Presumably the change occurred when openid.net switch OpenID
> implementations — it now uses RPX.
> RPX looks pretty good, but I don’t think it works with OPs that expect the
> RP to use Direct Verification, ie an OP that does not establish
> associations.
> Does the StartSSL OP expect direct verification to be used?
>
> I eventually did vote — using the OpenID delegation feature to point by
> OpenID URI to another OP (a very nice feature of OpenID).
>
> Establishing an associations is optional in an OpenID 2.0 flow. It is
> RECOMMENDED that an RP form an association if possible.
> I don’t think the OpenID 2.0 spec says an OP MUST support associations. The
> spec says if an RP “does not have an association stored, it MUST request
> that the OP verify the signature via Direct Verification”, but it also says
> “if a Relying Party is incapable of creating or storing associations,
> Section 11.4.2 (Verifying Directly with the OpenID Provider)  provides an
> alternate verification mechanism”. Perhaps an RP might think it complies
> with OpenID 2.0 once it is capable of using associations, without
> supporting direct verification. [a point to clarify in OpenID v.next]
>
>
> James Manger_______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091130/53c66af8/attachment-0001.htm>

More information about the general mailing list