Since stateless mode authentication is weak, it seems incorrect to say a provider must or should implement it.
On Fri, Aug 27, 2010 at 12:20 AM, Yitzchak Scott-Thoennes < [email protected]> wrote: > (David, sorry for sending this to you by accident instead of the list.) > > Should, not must? > > If must (and maybe even if should), then it seems it either should be > illegal to have mode as a signed attribute or check_authentication > should not be subject to signature checking (since the sender must > change the mode attribute and isn't able to recalculate the signature, > and in any case, the whole purpose is that the OP validate the > signature received by the Relying Party.) > > On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <[email protected]> > wrote: > > ugh, yes every provider should support check_authentication. > > > > On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes > > <[email protected]> wrote: > >> > >> In the OpenID Authentication 2.0 spec, the Relying Party is obligated > >> to use direct verification to check the signature when it does not have > >> the association stored. > >> > >> But is an OP required to support check_authentication? > >> > >> There are certain providers that appear to not support it, always > >> returning a failure. > >> > >> There are other providers that include mode as a signed attribute, > >> and so reject the check_authentication as having an invalid signature > >> (since the mode has changed). > >> > >> Can someone familiar with this comment, please? > >> _______________________________________________ > >> specs mailing list > >> [email protected] > >> http://lists.openid.net/mailman/listinfo/openid-specs > > > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
