On 10/07/07, Dick Hardt <[EMAIL PROTECTED]> wrote: > > Given that there doesn't seem to be any way to recover from this > > situation, it seems like private associations are the only sane option > > for unsolicited responses. > > An update message would require direct verification and not use an > association. Associations are set by the RP, and in this case, the OP > is initiating the conversation. I might be missing something, but I > don't see how you can reliably use an association.
That was the conclusion that I came to. I was replying to Johnny's statement that the OP knows the expiry time of the association handles it stores so could use a previously negotiated handle in the unsolicited response. I think it would be good to include a statement to this effect in the specification so that implementers don't have to work this out for themselves (and maybe get it wrong). James. _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs