OpenID Attribute Exchange Protocol questions
Johnny Bufu
johnny at sxip.com
Tue Jul 10 17:52:44 UTC 2007
On 10-Jul-07, at 8:43 AM, James Henstridge wrote:
> On 10/07/07, Dick Hardt <dick at sxip.com> wrote:
>> > Given that there doesn't seem to be any way to recover from this
>> > situation, it seems like private associations are the only sane
>> option
>> > for unsolicited responses.
>>
>> An update message would require direct verification and not use an
>> association. Associations are set by the RP, and in this case, the OP
>> is initiating the conversation. I might be missing something, but I
>> don't see how you can reliably use an association.
>
> That was the conclusion that I came to.
>
> I was replying to Johnny's statement that the OP knows the expiry time
> of the association handles it stores so could use a previously
> negotiated handle in the unsolicited response.
>
> I think it would be good to include a statement to this effect in the
> specification so that implementers don't have to work this out for
> themselves (and maybe get it wrong).
Looks like it's already in the spec, in section 10, Responding to
Authentication Requests:
> If no association handle is specified, the OP SHOULD create a
> private association for signing the response. The OP MUST store
> this association and MUST respond to later requests to check the
> signature of the response via Direct Verification.
http://openid.net/specs/openid-
authentication-2_0-11.html#responding_to_authentication
Johnny
More information about the specs
mailing list