On 1/23/07, <b class="gmail_sendername">Josh Hoyt</b> <<a href="mailto:josh@janrain.com">josh@janrain.com</a>> wrote:<br>> On 1/23/07, Bob Wyman <<a href="mailto:bob@wyman.us">bob@wyman.us</a>> wrote<br>>> BTW: OpenID provides a means for OP and RP to establish a secure
<br>>> association. Why doesn't it do the same for OP and Client?<br>> There is nothing in the protocol that prevents any software from<br>> making associations with the OP using the same mechanism<br>> that RPs use.
<br><br>I realize that the client could COULD make associations with the OP, what I'm not sure about is why the process is explicitly discussed and mapped out for RPs but not for client software... Why would it be "out of scope" for OpenID to document client software's use of associations in the same way that it currently documents RP's use of associations? Why does OpenID treat the security concerns of client software so much differently from the way it treats the security concerns of RPs?
<br><br>bob wyman<br><br>