I think I agree with you Will that there is little value of long lived associations. They reduce a bit of overhead, but renewing them every 24 hours shouldn't be too bad. It seems prudent for an RP to renew the association proactively versus waiting for a user to be signing in and having the OP tell them that the association is no longer valid. (Thus creating additional wait time for the user.)<div>
<br></div><div>--David<br><br><div class="gmail_quote">On Sun, Nov 29, 2009 at 12:26 PM, Johannes Ernst <span dir="ltr"><jernst+<a href="http://openid.net">openid.net</a>@<a href="http://netmesh.us">netmesh.us</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I think it's because SSH keys are public/private key pairs, while OpenID associations are symmetric, i.e. two parties have to keep them safe and either of them has to trust the other that they keep them safe. (At least that's my guess ...) In the asymmetric case, nothing bad happens if a third party discovers somebody else's public key.<br>
<br>
Coincidentally one of the reasons that we based LID of public key pairs instead of symmetric keys.<br>
<br>
As you point out, making the lifetime shorter improves one thing but makes another thing harder, there's a tradeoff there.<br>
<div><div></div><div class="h5"><br>
<br>
On Nov 29, 2009, at 10:34, Will Norris wrote:<br>
<br>
> One question has been bugging me for a while after reading the ICAM OpenID profile[0]. The ICAM profile specifies that associations must expire within at least 24 hours. What's the rationale behind this?<br>
><br>
> Or put another way, what about the benefits of using long-lived associations? Take SSH host keys for example. They MUST be long lived to actually serve the purpose they are intended for... to ensure that host you're talking to today is the same host you talked to yesterday, and the day before that. Now for the really paranoid, you would verify the SSH host key out of band some way, but I'm certainly not suggesting that (I've gotten my fill of that with SAML metadata exchange). But even without the out of band verification, there is a lot of value just in having the host key long lived.<br>
><br>
> Why are these same principals not applied to OpenID associations? Am I overloading the purpose of the association?<br>
><br>
> [0]: <a href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf" target="_blank">http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf</a><br>
><br>
> -will<br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div></div></blockquote></div><br></div>