<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Nat,<div><br></div><div>You can do identity less openID checkid_imediate requests to invoke extensions like AX.</div><div><br></div><div>That doesn't let you piggyback AX on a association request though.</div><div><br></div><div>I am sympathetic to your problem of wanting an artifact binding for openID.</div><div><br></div><div>The reality is that we need to create a artifact binding in 2.1 rather than try and slip it through some loose wording in the 2.0 spec.</div><div><br></div><div>OpenID 2.0 doesn't support artifact binding.</div><div><br></div><div>If it did then that would have helped me with the LoA 2 justification. </div><div><br></div><div>Artifact binding will add complexity and not everyone will support it.</div><div><br></div><div>Some may ask if we add artifact binding, signatures and encryption are we not reinventing SAML Web SSO, or something of equal complexity?</div><div><br></div><div>I am not against doing it if that is the chosen direction. However I would like to see a full and open discussion on it.</div><div><br></div><div>John B.</div><div><br><div><div>On 13-Aug-09, at 8:03 AM, <a href="mailto:openid-specs-request@lists.openid.net">openid-specs-request@lists.openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="font-family: monospace; ">Date: Fri, 14 Aug 2009 00:03:12 +0900<br>From: Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>Subject: Re: So, what is an OpenID Extension?<br>To: James Henstridge <<a href="mailto:james@jamesh.id.au">james@jamesh.id.au</a>><br>Cc: OpenID Specs Mailing List <<a href="mailto:specs@openid.net">specs@openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:bf26e2340908130803h390947eya0f6af01c65daee5@mail.gmail.com">bf26e2340908130803h390947eya0f6af01c65daee5@mail.gmail.com</a>><br>Content-Type: text/plain; charset="iso-8859-1"<br><br>Hmmm. So, there is no way we can do direct communication in an extension? What<br>I want to do is to send the large payload directly between the servers and<br>move only the reference through OpenID Authn request and response so that<br><br>1) mobile clients will not choke.<br>2) is going to be more secure.<br><br>In AX, there is a notion of update_url, but is that also used only for<br>indirect communication through browser?<br><br>I feel that it is extremely limiting if we cannot do the server to server<br>communication.<br><br>If that is not a possibility, then I should probably do the server to server<br>portion elsewhere, and just do the reference/artifact moving through OpenID<br>AuthN, but that sounds like OpenID strangling itself.<br><br>=nat<br></span></span></blockquote></div><br></div></body></html>