assoc_type and assoc_handle

Nathan D. Bowen nbowen+yadis at
Wed Jun 8 19:45:48 PDT 2005

On Wed, Jun 08, 2005 at 05:57:01PM -0700, Brad Fitzpatrick wrote:
> I noticed that checkid_* mode is defined like:
>     * GET OpenID server URL
>     * openid.mode = 'checkid_immediate'
>     * openid.identity = OpenID URL
>     * openid.return_to = return URL
>     * openid.assoc_handle = HMAC secret handle (optional, see "dumb mode")
> But no assoc_type.

This may be biased by my particular implementation, but if the consumer
requests HMAC-SHA1, and the server returns an assoc_handle and
acknowledges that it will be using HMAC-SHA1, doesn't the consumer know
to expect HMAC-SHA1 whenever it uses that handle?

My intention with the association model was to describe the "association"
as something that held all the parameters by which future communication
using that assoc_handle would take place. So, for instance, we wouldn't
need to talk about the secret key expiring - the whole association

And anything that will be true for the whole association can
then be tied to that handle.

The type of the identity tokens is just one of the things described in
the attributes of an association.

So, in the model I was using in the descriptive text, there's not
"an association of type HMAC", there's "an association that, among
other things, specifies that tokens will be sent digested with HMAC".

(Incidentally, that's why I prefer id_token_type to assoc_type.)

  Nathan D. Bowen
  nbowen at

More information about the yadis mailing list