<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1154568683;
mso-list-template-ids:-782091006;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1916741653;
mso-list-type:hybrid;
mso-list-template-ids:-1793424506 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto;margin-left:60.0pt;text-indent:-.25in;mso-list:l0 level1 lfo3'><![if !supportLists]><span
lang=EN style='font-size:10.0pt;font-family:Symbol;color:black'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN style='font-family:"Verdana","sans-serif";
color:black'>The Relying Party MUST accept an <a
href="http://openid.net/specs/openid-authentication-2_0.html#positive_assertions"><span
style='text-decoration:none'>authentication response<span style='display:none'>
(Positive Assertions)</span></span></a> that is missing the
"openid.response_nonce" parameter. It SHOULD implement a method for
preventing replay attacks. <o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto;margin-left:60.0pt'><span lang=EN style='font-family:
"Verdana","sans-serif";color:black'><o:p> </o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto;margin-left:60.0pt;text-indent:-.25in;mso-list:l0 level1 lfo3'><![if !supportLists]><span
lang=EN style='font-size:10.0pt;font-family:Symbol;color:black'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span lang=EN style='font-family:"Verdana","sans-serif";
color:black'>Relying Parties MUST accept <a
href="http://openid.net/specs/openid-authentication-2_0.html#positive_assertions"><span
style='text-decoration:none'>authentication responses<span style='display:none'>
(Positive Assertions)</span></span></a> that are missing the
"openid.op_endpoint" parameter. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:#1F497D'>I don’t know formally now
what “accept” means (but it’s a MUST). Rewriting should make it
clear that ‘accept’ - in this context - does not absolve the RP of
performing follow-up discovery (as required). That discovery may determine that
the authentication response is ‘not reliable’ (post ‘accept’ance).<o:p></o:p></span></p>
<p class=MsoPlainText><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto'><span style='color:#1F497D'>Text such as “</span><span
lang=EN style='font-family:"Verdana","sans-serif";color:black'>It SHOULD
implement a method for preventing replay attacks” is arguably bad form in
a standard. Its setting a conformance test for specifically local countermeasures,
ones that furthermore mandate _<i>preventative</i>_ controls (that are
undefined). <o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto'><span lang=EN style='font-family:"Verdana","sans-serif";
color:black'>Consider “It is recommended that …” here, as better
form.<o:p></o:p></span></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;margin-right:24.0pt;
mso-margin-bottom-alt:auto'><span lang=EN style='font-family:"Verdana","sans-serif";
color:black'>Its best to keep objective “conforming” tests from technical
standards separate from the inherently subjective world of auditing _<i>local</i>_
preventative controls.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
</div>
</body>
</html>