Association Handles and Service URIs

Marius Scurtescu marius at
Tue Aug 29 21:56:05 UTC 2006

On 25-Aug-06, at 3:24 PM, Marius Scurtescu wrote:

> On 25-Aug-06, at 10:52 AM, Kevin Turner wrote:
>> You're right, there is typically only one active association.  I  
>> suppose
>> there is a borderline case where the RP sends a request with one
>> association handle, but in the time between when you make the request
>> and get a response, a new association has been established...  but  
>> since
>> new associations are typically only established when the old one  
>> becomes
>> invalid, it's questionable if you should accept the response in that
>> case anyway.
> You bring up a good point, what happens if a new association is  
> established while there are active transactions? If you don't  
> accept the transaction then this leads to bad user experience. I  
> can see two solutions here:
> - if the association based verification fails then fall back to  
> direct verification (this would also prevent the DoS attack  
> described above), but the spec should allow you to do this
> - allow multiple associations to be active, you will ask for a new  
> association before the previous one expired and then unfinished  
> transactions can still complete properly, this complicates  
> association management a bit

The fall back to direct verification is not possible, the key used  
for the signature would be totally different.

Another option would be to establish a new association and then  
bounce the user back to the server and ask for an immediate  
authentication (check_immediate) this time.

So, solving this issue is totally up to the client implementor? Any  
suggestions or hints planned for the spec?


More information about the yadis mailing list