[OpenID] Direct Verification Conformance (formerly: Re: RPX (as used by openid.net) does not try Direct Verification)
John Bradley
ve7jtb at ve7jtb.com
Tue Dec 1 13:39:25 UTC 2009
Yes Direct verification is allowed.
However a OP that can't form associations would not pass the basic requirements for ICAM.
The line you are referring to from Sec 3.2 is intended to make it clear to the Government RPs that they must create an association or use an existing association handle for authentication requests they make to OP's.
If the association has expired they use direct verification per the spec.
John B.
On 2009-12-01, at 1:00 AM, Andrew Arnott wrote:
> Direct verification is still allowed in the ICAM spec. Associations that expire on the OP before the RP removes them still result in direct verification being performed. Also, unsolicited assertions are allowed in the ICAM spec, which of course requires direct verification.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
>
>
> On Mon, Nov 30, 2009 at 7:47 PM, Shane B Weeden <sweeden at au1.ibm.com> wrote:
> Actually the point you make below is interesting when you look at
> deployment profiles like ICAM
> (http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf).
>
> In section 3.2 Association Handles it states:
>
> The RP MUST form an association with the IdP and include the association
> handle in the authentication request.
>
> Does this imply then that direct verification is not permitted?
>
> If an OP was to still accept direct verification, does that make it
> non-compliant with ICAM?
>
> If yes, then I suspect it also follows that an ICAM-compliant OP is non
> OpenID 2.0 compliant :)
>
>
>
>
>
> |------------>
> | From: |
> |------------>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |"Manger, James H" <James.H.Manger at team.telstra.com> |
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | To: |
> |------------>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |"Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>, "openid-general at lists.openid.net" <openid-general at lists.openid.net> |
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Date: |
> |------------>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |01/12/2009 01:28 PM |
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Subject: |
> |------------>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |[OpenID] RPX (as used by openid.net) does not try Direct Verification |
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Sent by: |
> |------------>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |openid-general-bounces at lists.openid.net |
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>
> Eddy,
>
> > Unfortunately I can not vote because the authentication of OpenID doesn't
> accept the StartSSL OP for some reason
>
> I couldn’t vote either as openid.net no longer accepted the OP I used
> previously. Presumably the change occurred when openid.net switch OpenID
> implementations — it now uses RPX.
> RPX looks pretty good, but I don’t think it works with OPs that expect the
> RP to use Direct Verification, ie an OP that does not establish
> associations.
> Does the StartSSL OP expect direct verification to be used?
>
> I eventually did vote — using the OpenID delegation feature to point by
> OpenID URI to another OP (a very nice feature of OpenID).
>
> Establishing an associations is optional in an OpenID 2.0 flow. It is
> RECOMMENDED that an RP form an association if possible.
> I don’t think the OpenID 2.0 spec says an OP MUST support associations. The
> spec says if an RP “does not have an association stored, it MUST request
> that the OP verify the signature via Direct Verification”, but it also says
> “if a Relying Party is incapable of creating or storing associations,
> Section 11.4.2 (Verifying Directly with the OpenID Provider) provides an
> alternate verification mechanism”. Perhaps an RP might think it complies
> with OpenID 2.0 once it is capable of using associations, without
> supporting direct verification. [a point to clarify in OpenID v.next]
>
>
> James Manger_______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091201/af6f944c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091201/af6f944c/attachment.bin>
More information about the general
mailing list