Direct verification is useful for more than stateless mode. Sometimes the OP's association list may get cleared, or the RP sends an almost expired association handle to the OP and the OP needs to send a private association handle back to the RP in order for the user's flow to go on uninterrupted. These are legitimate cases that can only be handled smoothly if the OP supports direct verification.
Another use of direct verification is if the RP is an OpenID 1.1 compliant RP and doesn't have replay protection built in. In this case, for example, DotNetOpenAuth OPs automatically force use of direct verification by using a private association in order to provide replay protection. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Fri, Aug 27, 2010 at 9:25 AM, Hans Granqvist <[email protected]> wrote: > Since stateless mode authentication is weak, it seems incorrect to say a > provider must or should implement it. > > > On Fri, Aug 27, 2010 at 12:20 AM, Yitzchak Scott-Thoennes < > [email protected]> wrote: > >> (David, sorry for sending this to you by accident instead of the list.) >> >> Should, not must? >> >> If must (and maybe even if should), then it seems it either should be >> illegal to have mode as a signed attribute or check_authentication >> should not be subject to signature checking (since the sender must >> change the mode attribute and isn't able to recalculate the signature, >> and in any case, the whole purpose is that the OP validate the >> signature received by the Relying Party.) >> >> On Fri, Aug 27, 2010 at 12:10 AM, David Recordon <[email protected]> >> wrote: >> > ugh, yes every provider should support check_authentication. >> > >> > On Thu, Aug 26, 2010 at 10:11 PM, Yitzchak Scott-Thoennes >> > <[email protected]> wrote: >> >> >> >> In the OpenID Authentication 2.0 spec, the Relying Party is obligated >> >> to use direct verification to check the signature when it does not have >> >> the association stored. >> >> >> >> But is an OP required to support check_authentication? >> >> >> >> There are certain providers that appear to not support it, always >> >> returning a failure. >> >> >> >> There are other providers that include mode as a signed attribute, >> >> and so reject the check_authentication as having an invalid signature >> >> (since the mode has changed). >> >> >> >> Can someone familiar with this comment, please? >> >> _______________________________________________ >> >> specs mailing list >> >> [email protected] >> >> http://lists.openid.net/mailman/listinfo/openid-specs >> > >> > >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs >> > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
