Peter,<br><br>You've been posting to a lot of threads yourself around unsolicited assertions. You're not alone in believing that the language around unsolicited assertions in the OpenID 2.0 spec is unclear. But I must say I'm not with you on that one. <br>
<br>In implementing OpenID 2.0 in DotNetOpenId, I found that unsolicited assertions support to the RP side was a natural fallout of implementing the whole spec. I didn't have to do anything special at all to support them. The OP side left me to be just a bit creative: the only thing I had to decide on my own for lack of a spec was to have the user initiate the assertion while logged into the OP by typing in the RP's realm URL so that RP discovery could do the work of figuring out where the return_to was that the unsolicited assertion should be sent. Also, of the many return_to URLs that might be listed in an RP's XRDS file, the OP just selects the first one and hopes that that is the one where the user's login will be accepted in a user-friendly way. (i.e. the user won't be logged into the admin portion of the web site when he's just a normal user).<br>
<br>I'd be happy to fill you in on details of how I did it if you'd like, but again, I felt that the spec gave a complete enough description of assertion discovery that it just worked. <br><br>And for all your "discovery4" markers in your emails that seem to suggest multiple rounds of discovery, my RP only requires one identifier discovery step to receive an unsolicited assertion.<br>
<br><div class="gmail_quote">On Tue, Nov 11, 2008 at 5:47 AM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span lang="EN"><a href="http://15.1.1." target="_blank">15.1.1.</a> Eavesdropping Attacks</span><span style="color: rgb(31, 73, 125);"></span></p>
<p><span style="color: rgb(31, 73, 125);"> </span></p>
<p><span style="color: rgb(31, 73, 125);">This section should be renamed </span><span lang="EN"><a href="http://15.1.1." target="_blank">15.1.1.</a> Reuse of Assertions</span></p>
<p><span lang="EN"> </span></p>
<p><span lang="EN">The section discusses 2 topics: eavesdropping,
replay on the wire of an assertion to a given RP.</span></p>
<p><span lang="EN"> </span></p>
<p><span lang="EN">The use of the term eavesdropping (a passive
attack) is somewhat inappropriate: since the description is all about an active
deletion and insertion attack, following early intercept.</span><span style="color: rgb(31, 73, 125);"></span></p>
<p><span style="color: rgb(31, 73, 125);"> </span></p>
<p><span style="color: rgb(31, 73, 125);"> </span></p>
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>
[mailto:<a href="mailto:general-bounces@openid.net" target="_blank">general-bounces@openid.net</a>] <b>On Behalf Of </b>Peter Williams<br>
<b>Sent:</b> Tuesday, November 11, 2008 5:17 AM<br>
<b>Cc:</b> OpenID List<br>
<b>Subject:</b> OpenID] review of text for validating unsolicited assertions,
given an openid2 request about identity=localid</span></p>
</div>
</div>
<p> </p>
<p> </p>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>