Direct verification is still allowed in the ICAM spec. Associations that expire on the OP before the RP removes them still result in direct verification being performed. Also, unsolicited assertions are allowed in the ICAM spec, which of course requires direct verification.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Nov 30, 2009 at 7:47 PM, Shane B Weeden <span dir="ltr"><<a href="mailto:sweeden@au1.ibm.com">sweeden@au1.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Actually the point you make below is interesting when you look at<br>
deployment profiles like ICAM<br>
(<a href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf" target="_blank">http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf</a>).<br>
<br>
In section 3.2 Association Handles it states:<br>
<br>
The RP MUST form an association with the IdP and include the association<br>
handle in the authentication request.<br>
<br>
Does this imply then that direct verification is not permitted?<br>
<br>
If an OP was to still accept direct verification, does that make it<br>
non-compliant with ICAM?<br>
<br>
If yes, then I suspect it also follows that an ICAM-compliant OP is non<br>
OpenID 2.0 compliant :)<br>
<br>
<br>
<br>
<br>
<br>
|------------><br>
| From: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|"Manger, James H" <<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| To: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|"Eddy Nigg (StartCom Ltd.)" <<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>>, "<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>" <<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Date: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|01/12/2009 01:28 PM |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Subject: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|[OpenID] RPX (as used by <a href="http://openid.net" target="_blank">openid.net</a>) does not try Direct Verification |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Sent by: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|<a href="mailto:openid-general-bounces@lists.openid.net">openid-general-bounces@lists.openid.net</a> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
<br>
<br>
<br>
<br>
<br>
Eddy,<br>
<br>
> Unfortunately I can not vote because the authentication of OpenID doesn't<br>
accept the StartSSL OP for some reason<br>
<br>
I couldn’t vote either as <a href="http://openid.net" target="_blank">openid.net</a> no longer accepted the OP I used<br>
previously. Presumably the change occurred when <a href="http://openid.net" target="_blank">openid.net</a> switch OpenID<br>
implementations — it now uses RPX.<br>
RPX looks pretty good, but I don’t think it works with OPs that expect the<br>
RP to use Direct Verification, ie an OP that does not establish<br>
associations.<br>
Does the StartSSL OP expect direct verification to be used?<br>
<br>
I eventually did vote — using the OpenID delegation feature to point by<br>
OpenID URI to another OP (a very nice feature of OpenID).<br>
<br>
Establishing an associations is optional in an OpenID 2.0 flow. It is<br>
RECOMMENDED that an RP form an association if possible.<br>
I don’t think the OpenID 2.0 spec says an OP MUST support associations. The<br>
spec says if an RP “does not have an association stored, it MUST request<br>
that the OP verify the signature via Direct Verification”, but it also says<br>
“if a Relying Party is incapable of creating or storing associations,<br>
Section 11.4.2 (Verifying Directly with the OpenID Provider) provides an<br>
alternate verification mechanism”. Perhaps an RP might think it complies<br>
with OpenID 2.0 once it is capable of using associations, without<br>
supporting direct verification. [a point to clarify in OpenID v.next]<br>
<br>
<br>
James Manger_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div><br></div>