<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes Direct verification is allowed.<div><br></div><div>However a OP that can't form associations would not pass the basic requirements for ICAM.</div><div><br></div><div>The line you are referring to from Sec 3.2 is intended to make it clear to the Government RPs that they must create an association or use an existing association handle for authentication requests they make to OP's.</div><div><br></div><div>If the association has expired they use direct verification per the spec.</div><div><br></div><div>John B.</div><div><br></div><div><br><div><div>On 2009-12-01, at 1:00 AM, Andrew Arnott wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Direct verification is still allowed in the ICAM spec. Associations that expire on the OP before the RP removes them still result in direct verification being performed. Also, unsolicited assertions are allowed in the ICAM spec, which of course requires direct verification.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Nov 30, 2009 at 7:47 PM, Shane B Weeden <span dir="ltr"><<a href="mailto:sweeden@au1.ibm.com">sweeden@au1.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Actually the point you make below is interesting when you look at<br>
deployment profiles like ICAM<br>
(<a href="http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf" target="_blank">http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf</a>).<br>
<br>
In section 3.2 Association Handles it states:<br>
<br>
The RP MUST form an association with the IdP and include the association<br>
handle in the authentication request.<br>
<br>
Does this imply then that direct verification is not permitted?<br>
<br>
If an OP was to still accept direct verification, does that make it<br>
non-compliant with ICAM?<br>
<br>
If yes, then I suspect it also follows that an ICAM-compliant OP is non<br>
OpenID 2.0 compliant :)<br>
<br>
<br>
<br>
<br>
<br>
|------------><br>
| From: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|"Manger, James H" <<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| To: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|"Eddy Nigg (StartCom Ltd.)" <<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>>, "<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>" <<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Date: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|01/12/2009 01:28 PM |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Subject: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|[OpenID] RPX (as used by <a href="http://openid.net/" target="_blank">openid.net</a>) does not try Direct Verification |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|------------><br>
| Sent by: |<br>
|------------><br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
|<a href="mailto:openid-general-bounces@lists.openid.net">openid-general-bounces@lists.openid.net</a> |<br>
>--------------------------------------------------------------------------------------------------------------------------------------------------|<br>
<br>
<br>
<br>
<br>
<br>
Eddy,<br>
<br>
> Unfortunately I can not vote because the authentication of OpenID doesn't<br>
accept the StartSSL OP for some reason<br>
<br>
I couldn’t vote either as <a href="http://openid.net/" target="_blank">openid.net</a> no longer accepted the OP I used<br>
previously. Presumably the change occurred when <a href="http://openid.net/" target="_blank">openid.net</a> switch OpenID<br>
implementations — it now uses RPX.<br>
RPX looks pretty good, but I don’t think it works with OPs that expect the<br>
RP to use Direct Verification, ie an OP that does not establish<br>
associations.<br>
Does the StartSSL OP expect direct verification to be used?<br>
<br>
I eventually did vote — using the OpenID delegation feature to point by<br>
OpenID URI to another OP (a very nice feature of OpenID).<br>
<br>
Establishing an associations is optional in an OpenID 2.0 flow. It is<br>
RECOMMENDED that an RP form an association if possible.<br>
I don’t think the OpenID 2.0 spec says an OP MUST support associations. The<br>
spec says if an RP “does not have an association stored, it MUST request<br>
that the OP verify the signature via Direct Verification”, but it also says<br>
“if a Relying Party is incapable of creating or storing associations,<br>
Section 11.4.2 (Verifying Directly with the OpenID Provider) provides an<br>
alternate verification mechanism”. Perhaps an RP might think it complies<br>
with OpenID 2.0 once it is capable of using associations, without<br>
supporting direct verification. [a point to clarify in OpenID v.next]<br>
<br>
<br>
James Manger_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div><br></div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>