private association fro unsolicited positive assertions

[John Bradley]

The other reason for Recommending private associations is that the OP need not keep track of what RP has been given a particular association handle.  There is no verification of RP identity by the OP in the spec.

Unless some mechanism outside the spec is used the only thing a OP can use is a private association.

John B.
On 2010-03-26, at 5:02 AM, Breno de Medeiros wrote:

> On Fri, Mar 26, 2010 at 08:04, nara hideki <hdknr at ic-tact.co.jp> wrote:
>> Hi experts,
>> 
>> I'm afraid that this question has been discussed ,but I can't found that.
>> 
>> "10.  Responding to Authentication Requests" of Auth 2.0 Final says:
>> 
>>   OPs SHOULD use private associations for signing unsolicited
>> positive assertions.
> 
> It could lead to less interoperability -- if the RP has revoked the
> key (e.g., because it suspects that the key has been compromised),
> then the RP would reject the assertion as an error (recognizing the
> revoked handle).
> 
> A similar situation appears if the OP has a policy on key refresh rate
> that is longer than the RP's. That would cause the RP to revoke the
> key when the OP still believes it as valid.
> 
> I think the current reading of the spec promotes interoperability with
> flexibility in key management, and that's good for security.
> 
>> 
>> I'd like to know the reason why "SHOULD is used rather than "MAY".
>> Is there any security threat if we don't use private associations
>> 
>> Thanks in advance.
>> 
>> -----
>> hdknr.com
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>> 
> 
> 
> 
> -- 
> --Breno
> 
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs