In the OpenID Authentication 2.0 spec, the Relying Party is obligated to use direct verification to check the signature when it does not have the association stored.
But is an OP required to support check_authentication? There are certain providers that appear to not support it, always returning a failure. There are other providers that include mode as a signed attribute, and so reject the check_authentication as having an invalid signature (since the mode has changed). Can someone familiar with this comment, please? _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
