On 10/07/07, Dick Hardt <[EMAIL PROTECTED]> wrote:
> > Given that there doesn't seem to be any way to recover from this
> > situation, it seems like private associations are the only sane option
> > for unsolicited responses.
>
> An update message would require direct verification and not use an
> association. Associations are set by the RP, and in this case, the OP
> is initiating the conversation. I might be missing something, but I
> don't see how you can reliably use an association.

That was the conclusion that I came to.

I was replying to Johnny's statement that the OP knows the expiry time
of the association handles it stores so could use a previously
negotiated handle in the unsolicited response.

I think it would be good to include a statement to this effect in the
specification so that implementers don't have to work this out for
themselves (and maybe get it wrong).

James.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to