(David, sorry for sending this to you by accident instead of the list.) Should, not must?
If must (and maybe even if should), then it seems it either should be illegal to have mode as a signed attribute or check_authentication should not be subject to signature checking (since the sender must change the mode attribute and isn't able to recalculate the signature, and in any case, the whole purpose is that the OP validate the signature received by the Relying Party.) On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <[email protected]> wrote: > ugh, yes every provider should support check_authentication. > > On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes > <[email protected]> wrote: >> >> In the OpenID Authentication 2.0 spec, the Relying Party is obligated >> to use direct verification to check the signature when it does not have >> the association stored. >> >> But is an OP required to support check_authentication? >> >> There are certain providers that appear to not support it, always >> returning a failure. >> >> There are other providers that include mode as a signed attribute, >> and so reject the check_authentication as having an invalid signature >> (since the mode has changed). >> >> Can someone familiar with this comment, please? >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs > > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
