On Fri, Mar 26, 2010 at 08:04, nara hideki <[email protected]> wrote: > Hi experts, > > I'm afraid that this question has been discussed ,but I can't found that. > > "10. Responding to Authentication Requests" of Auth 2.0 Final says: > > OPs SHOULD use private associations for signing unsolicited > positive assertions.
It could lead to less interoperability -- if the RP has revoked the key (e.g., because it suspects that the key has been compromised), then the RP would reject the assertion as an error (recognizing the revoked handle). A similar situation appears if the OP has a policy on key refresh rate that is longer than the RP's. That would cause the RP to revoke the key when the OP still believes it as valid. I think the current reading of the spec promotes interoperability with flexibility in key management, and that's good for security. > > I'd like to know the reason why "SHOULD is used rather than "MAY". > Is there any security threat if we don't use private associations > > Thanks in advance. > > ----- > hdknr.com > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
