I've finally read the full OpenId spec and now have some questions related
to unsolicited positive assertions.
When the OP creates an unsolicited positive assertion, is a private
association created? If so where does this get stored or come from? If
stored is there a data store extension point (override)?
I modified the OpenId OP and RP example sites to perform an unsolicited
assertion. It does not appear to me, at least looking at the logs, that
the RP performs direct verification of the unsolicited positive assertion.
Is this correct? If no direct verification is performed, it seems to me
that there must be a "stored" mutual shared key (MAC) being used and if so,
is there an extension point (override) for storage and retrieval of the
shared key associated with each OP/RP endpoint?
Thanks again for your direction.