On 10-Jul-07, at 8:29 AM, James Henstridge wrote: > [replying to myself] > > On 10/07/07, James Henstridge <[EMAIL PROTECTED]> wrote: >> The only real constraint the authentication spec places on the RP is >> that it maintain the association for the duration of an OpenID >> authentication request. >> >> With unsolicited response though, there is no prior request that >> tells >> us the RP is holding a particular association _right now_. > > I just realised another difference when working with unsolicited > responses. > > With a normal OpenID authentication request the RP picks an > association handle, so we know the RP believes it is valid. However, > the OP can use a private association handle in the response if it > considers the handle from the request to be invalid. So the OpenID > authentication spec does not seem to require either the RP or OP to > store an association for longer than ~ one request. > > In contrast, if a previously established association is used in an > unsolicited response there doesn't seem to be any way the RP can tell > the OP that it has lost the handle. > > Given that there doesn't seem to be any way to recover from this > situation, it seems like private associations are the only sane option > for unsolicited responses.
An update message would require direct verification and not use an association. Associations are set by the RP, and in this case, the OP is initiating the conversation. I might be missing something, but I don't see how you can reliably use an association. -- Dick _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
