[replying to myself] On 10/07/07, James Henstridge <[EMAIL PROTECTED]> wrote: > The only real constraint the authentication spec places on the RP is > that it maintain the association for the duration of an OpenID > authentication request. > > With unsolicited response though, there is no prior request that tells > us the RP is holding a particular association _right now_.
I just realised another difference when working with unsolicited responses. With a normal OpenID authentication request the RP picks an association handle, so we know the RP believes it is valid. However, the OP can use a private association handle in the response if it considers the handle from the request to be invalid. So the OpenID authentication spec does not seem to require either the RP or OP to store an association for longer than ~ one request. In contrast, if a previously established association is used in an unsolicited response there doesn't seem to be any way the RP can tell the OP that it has lost the handle. Given that there doesn't seem to be any way to recover from this situation, it seems like private associations are the only sane option for unsolicited responses. James. _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs