Associations are not protected. Creating an association with an "authenticated" RP doesn't prevent the association handle from being used by another RP since handles are not secrets. Also, there is "dumb mode" where no association is shared.<div>
<br></div><div>I suggest you whitelist the RP's realm and filter at user authentication time, and be willing to form associations with anyone that asks. Associations are worthless to RPs if their realm doesn't match. You'd need to perform "RP discovery" on their realm to make it secure. If you don't want to manage a whitelist at the OP but still want to allow only approved RPs, you can require that the RP's XRDS document contains some special tag that contains the realm URL plus a signature from the OP. That way the OP can issue "certification" strings that RPs can host and certify themselves but without the OP managing the whitelist.</div>
<div><br></div><div>Just an approach.</div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Thu, Mar 4, 2010 at 11:11 PM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br>
<br>
I'm investigating ways to reliably authenticate RPs in scenarios with strong coupling between RP and OP.<br>
<br>
My question to the list is: Does it contradict the OpenId 2.0 spec if a OP requires HTTP authentication (e.g. BASIC authentication) on direct communication requests? The idea is to only establish an association if the RP is authenticated and authorized.<br>
<br>
Thanks in advance,<br>
Torsten.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div><br>