<br><font size=2 face="sans-serif">The encoding of state in a signed cookie
is definitely one option I have considered.</font>
<br>
<br><font size=2 face="sans-serif">Can you please explain in a little more
detail how one would do 11.4.2? I am looking at it but not sure how
to verify the discovery information or the returnTO. The text sounds
similar to a second association but it does not detail which information
I would send to the OP. Do you have an example set of parameters
that I would send back to the OP from the relying party?</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thank you<br>
Todd Kaplinger<br>
Project Zero Architecture and Development<br>
</font><a href=http://www.projectzero.org/><font size=2 face="sans-serif">http://www.projectzero.org</font></a>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Kevin Turner"
<kevin@janrain.com></b> </font>
<p><font size=1 face="sans-serif">07/28/2008 01:56 PM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">Todd Kaplinger/Durham/IBM@IBMUS</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td><font size=1 face="sans-serif">specs@openid.net</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: section 11. Verifying Assertions</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>See section 11.4.2. Verifying Directly with
the OpenID Provider.<br>
<br>
or encode your state in a signed cookie or the return_to URL or somesuch.<br>
</font></tt>
<br>