Thanks Greg,

I think you're right - but it's possible that more than one endpoint in
the xrds has the same op_endpoint as that supplied in the response - so
it would be necessary to also compare other fields to select the best
matching endpoint. This is making OpenID kind of a protracted process.

=james.tindall

Greg Byrd wrote:
> (1) Section 11.2 says that RP must perform discovery "[i]f the Claimed
> Identifier was not previously discovered."  So I think you don't need
> to do that second discovery step in your email.  But you said
> stateless mode, so maybe you don't remember that you discovered the ID
> in the first place, so...
>
> (2) The op_endpoint field is returned in id_res, so the verification
> should just check whether any of the OPs returned from discovery match
> the supplied op_endpoint.
>
> ...Greg
>
>
> James Tindall wrote:
>> Suppose a relying party is operating under stateless mode. Suppose
>> also that the discovery phase for the given claimed_id returned more
>> than one endpoint. Then suppose that association attempts failed on
>> at least one of the endpoints but then succeeded on one of the other
>> endpoints further down the priority order. Then upon receiving the
>> authentication (id_res) response from the chosen OP the RP must
>> perform discovery on the claimed_id contained in the response in
>> order to be able to verify the response data against discovered data.
>> But then if, as is probable, the discovery phase again returns more
>> than one endpoint, how is the RP to choose which one to verify the
>> response data against?
>>
>> =james.tindall
>>
>>
>> _______________________________________________
>> general mailing list
>> general <at> openid.net
>> http://openid.net/mailman/listinfo/general
>
>
>

_______________________________________________
general mailing list
general <at> openid.net
http://openid.net/mailman/listinfo/general