<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I don't know of anything less secure about stateless mode. Associations are a performance optimization not a security one.<div><br></div><div>John B.<br><div><div>On 2010-08-27, at 12:25 PM, Hans Granqvist wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Since stateless mode authentication is weak, it seems incorrect to say a<div>provider must or should implement it.</div><div><br><br><div class="gmail_quote">On Fri, Aug 27, 2010 at 12:20 AM, Yitzchak Scott-Thoennes <span dir="ltr"><<a href="mailto:sthoenna@gmail.com">sthoenna@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">(David, sorry for sending this to you by accident instead of the list.)<br>
<br>
Should, not must?<br>
<br>
If must (and maybe even if should), then it seems it either should be<br>
illegal to have mode as a signed attribute or check_authentication<br>
should not be subject to signature checking (since the sender must<br>
change the mode attribute and isn't able to recalculate the signature,<br>
and in any case, the whole purpose is that the OP validate the<br>
signature received by the Relying Party.)<br>
<div><div></div><div class="h5"><br>
On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <<a href="mailto:recordond@gmail.com">recordond@gmail.com</a>> wrote:<br>
> ugh, yes every provider should support check_authentication.<br>
><br>
> On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes<br>
> <<a href="mailto:sthoenna@gmail.com">sthoenna@gmail.com</a>> wrote:<br>
>><br>
>> In the OpenID Authentication 2.0 spec, the Relying Party is obligated<br>
>> to use direct verification to check the signature when it does not have<br>
>> the association stored.<br>
>><br>
>> But is an OP required to support check_authentication?<br>
>><br>
>> There are certain providers that appear to not support it, always<br>
>> returning a failure.<br>
>><br>
>> There are other providers that include mode as a signed attribute,<br>
>> and so reject the check_authentication as having an invalid signature<br>
>> (since the mode has changed).<br>
>><br>
>> Can someone familiar with this comment, please?<br>
>> _______________________________________________<br>
>> specs mailing list<br>
>> <a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
><br>
><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br></div>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><br></blockquote></div><br></div></body></html>