This blog can't be viewed on LiveJournal. Instead see http://www.apparently.me.uk/18123.html.

  • Stateless RP's?

    Your concern about an unsolicited positive assertion is valid, although I'm asking myself how/when that would ever happen (this is beyond my level of OpenID knowledge). Can you comment on that? My understanding of OpenID stateless mode is that the RP simply doesn't store associations past the current request, but that these are generally RP initiated. Am I wrong there?

    To your second point, if the RP can at least remember the email address while it's waiting for a claimed identifier, then even if the OP responds with the wrong identifier, EAUT could be used to automatically figure out if there's a correlation between the two. If that correlation fails, then it seems like the result would be the same for my version of EAUT (emails are mapped to OpenIDs) and your version (where email-addresses are OpenIDs), since the email-discovery mechanism is the same for both: EAUT.
    By ext_129897 at 01:25 am on 27th Oct 2008
    • Re: Stateless RP's?

      Right now the only common situation where an unsolicited positive assertion arises is when providers send back an assertion for a different identifer than was in the request.

      The subtle difference between EAUT-first and EAUT-in-discovery here is that in the former case there's no way to figure out what email address belongs to the URL in the unsolicited positive assertion, so you'll need to do traditional email validation on the email address the user entered. In the latter case, if the OP switches identifiers it can choose to send back an email address, and as long as discovery on that email address works out you've got a verified email address despite the unsolicited nature of the assertion.

      When I mentioned state in my message I wasn't referring to associations. What I meant was the RP remembering what email address the user entered to correlate it with the assertion later.

      By Martin Atkins at 06:06 am on 27th Oct 2008