Dick Hardt wrote: > > Would be nice if the OP checking the RP could be cached so that it > does not have to happen for each request. >
Hi Dick, OPs should definitely cache verification status of the RP's return_to url so that verification happens once, or at least not until the association expires. The Association Process also seems a bit asymetrical, as the OP is giving out a shared secret and a handle, but it doesn't know who it's giving it to. An OP may want to know more about the RP, like for instance its realm and return_to url, before serving the request. The OP can then complete the association process by verifying the RP's return_to url after issuing the handle. I'm not sure how the realm could be verified though. Allen _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
