[PROPOSAL] Giving Signatures/Assertions Context

[Recordon, David]

So I know I said no more proposals like a month ago, but this one helps
from a security perspective around the signature on the response.

Currently the response must have "return_to", "response_nonce" and then
"disco_id" and "identity" if they are present.  I'm proposing that we
add to this requirement the following fields:
 - assoc_handle
 - URI identifier for the IdPs server endpoint

This helps to:
 - Make the signature clearly reflect the request
 - Gives the assertion/signature context on its own
 - Reduces the potential for replaying responses in differing contexts,
though the nonce takes care of this already

The main benefit is really helping to make the context of the response
more clear so that a response on its own clearly shows the IdP it is
from, the association handle, along with where the user is being sent,
the nonce, and the identifier.

The one potential point for objection we see is that there are times
when a signer may wish to remain anonymous, but rather leave it to the
recipient to know who they are.  I don't see this as a concern within
OpenID as it stands today, though wanted to mention it for completeness.

Thoughts?  Objections?

--David