StyleCop fixes.

9 files changed, 152 insertions, 68 deletions

diff --git a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
index ef0d7cd..3be70f0 100644
--- a/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
+++ b/samples/OAuthAuthorizationServer/Code/OAuth2AuthorizationServer.cs
@@ -17,56 +17,6 @@
 
 		private readonly INonceStore nonceStore = new DatabaseNonceStore();
 
-		/// <summary>
-		/// Creates a symmetric secret used to sign and encrypt authorization server refresh tokens.
-		/// </summary>
-		/// <returns>A cryptographically strong symmetric key.</returns>
-		private static byte[] CreateSecret() {
-			// TODO: Replace this sample code with real code.
-			// For this sample, we just generate random secrets.
-			RandomNumberGenerator crypto = new RNGCryptoServiceProvider();
-			var secret = new byte[32]; // 256-bit symmetric key to protect all protected resources.
-			crypto.GetBytes(secret);
-			return secret;
-		}
-
-		/// <summary>
-		/// Creates the RSA key used by all the crypto service provider instances we create.
-		/// </summary>
-		/// <returns>RSA data that includes the private key.</returns>
-		private static RSAParameters CreateRSAKey() {
-#if SAMPLESONLY
-			// Since the sample authorization server and the sample resource server must work together,
-			// we hard-code a FOR SAMPLE USE ONLY key pair.  The matching public key information is hard-coded into the OAuthResourceServer sample.
-			// In a real app, the RSA parameters would typically come from a certificate that may already exist.  It may simply be the HTTPS certificate for the auth server.
-			return new RSAParameters {
-				Exponent = new byte[] { 1, 0, 1 },
-				Modulus = new byte[] { 210, 95, 53, 12, 203, 114, 150, 23, 23, 88, 4, 200, 47, 219, 73, 54, 146, 253, 126, 121, 105, 91, 118, 217, 182, 167, 140, 6, 67, 112, 97, 183, 66, 112, 245, 103, 136, 222, 205, 28, 196, 45, 6, 223, 192, 76, 56, 180, 90, 120, 144, 19, 31, 193, 37, 129, 186, 214, 36, 53, 204, 53, 108, 133, 112, 17, 133, 244, 3, 12, 230, 29, 243, 51, 79, 253, 10, 111, 185, 23, 74, 230, 99, 94, 78, 49, 209, 39, 95, 213, 248, 212, 22, 4, 222, 145, 77, 190, 136, 230, 134, 70, 228, 241, 194, 216, 163, 234, 52, 1, 64, 181, 139, 128, 90, 255, 214, 60, 168, 233, 254, 110, 31, 102, 58, 67, 201, 33 },
-				P = new byte[] { 237, 238, 79, 75, 29, 57, 145, 201, 57, 177, 215, 108, 40, 77, 232, 237, 113, 38, 157, 195, 174, 134, 188, 175, 121, 28, 11, 236, 80, 146, 12, 38, 8, 12, 104, 46, 6, 247, 14, 149, 196, 23, 130, 116, 141, 137, 225, 74, 84, 111, 44, 163, 55, 10, 246, 154, 195, 158, 186, 241, 162, 11, 217, 77 },
-				Q = new byte[] { 226, 89, 29, 67, 178, 205, 30, 152, 184, 165, 15, 152, 131, 245, 141, 80, 150, 3, 224, 136, 188, 248, 149, 36, 200, 250, 207, 156, 224, 79, 150, 191, 84, 214, 233, 173, 95, 192, 55, 123, 124, 255, 53, 85, 11, 233, 156, 66, 14, 27, 27, 163, 108, 199, 90, 37, 118, 38, 78, 171, 80, 26, 101, 37 },
-				DP = new byte[] { 108, 176, 122, 132, 131, 187, 50, 191, 203, 157, 84, 29, 82, 100, 20, 205, 178, 236, 195, 17, 10, 254, 253, 222, 226, 226, 79, 8, 10, 222, 76, 178, 106, 230, 208, 8, 134, 162, 1, 133, 164, 232, 96, 109, 193, 226, 132, 138, 33, 252, 15, 86, 23, 228, 232, 54, 86, 186, 130, 7, 179, 208, 217, 217 },
-				DQ = new byte[] { 175, 63, 252, 46, 140, 99, 208, 138, 194, 123, 218, 101, 101, 214, 91, 65, 199, 196, 220, 182, 66, 73, 221, 128, 11, 180, 85, 198, 202, 206, 20, 147, 179, 102, 106, 170, 247, 245, 229, 127, 81, 58, 111, 218, 151, 76, 154, 213, 114, 2, 127, 21, 187, 133, 102, 64, 151, 7, 245, 229, 34, 50, 45, 153 },
-				InverseQ = new byte[] { 137, 156, 11, 248, 118, 201, 135, 145, 134, 121, 14, 162, 149, 14, 98, 84, 108, 160, 27, 91, 230, 116, 216, 181, 200, 49, 34, 254, 119, 153, 179, 52, 231, 234, 36, 148, 71, 161, 182, 171, 35, 182, 46, 164, 179, 100, 226, 71, 119, 23, 0, 16, 240, 4, 30, 57, 76, 109, 89, 131, 56, 219, 71, 206 },
-				D = new byte[] { 108, 15, 123, 176, 150, 208, 197, 72, 23, 53, 159, 63, 53, 85, 238, 197, 153, 187, 156, 187, 192, 226, 186, 170, 26, 168, 245, 196, 65, 223, 248, 81, 170, 79, 91, 191, 83, 15, 31, 77, 39, 119, 249, 143, 245, 183, 49, 105, 115, 15, 122, 242, 87, 221, 94, 230, 196, 146, 59, 7, 103, 94, 9, 223, 146, 180, 189, 86, 190, 94, 242, 59, 32, 54, 23, 181, 124, 170, 63, 172, 90, 158, 169, 140, 6, 102, 170, 0, 135, 199, 35, 196, 212, 238, 196, 56, 14, 0, 140, 197, 169, 240, 156, 43, 182, 123, 102, 79, 89, 20, 120, 171, 43, 223, 58, 190, 230, 166, 185, 162, 186, 226, 31, 206, 196, 188, 104, 1 },
-			};
-#else
-			// This is how you could generate your own public/private key pair.  
-			// As we generate a new random key, we need to set the UseMachineKeyStore flag so that this doesn't
-			// crash on IIS. For more information: 
-			// http://social.msdn.microsoft.com/Forums/en-US/clr/thread/7ea48fd0-8d6b-43ed-b272-1a0249ae490f?prof=required
-			var cspParameters = new CspParameters();
-			cspParameters.Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore;
-			var keyPair = new RSACryptoServiceProvider(cspParameters);
-
-			// After exporting the private/public key information, read the information out and store it somewhere
-			var privateKey = keyPair.ExportParameters(true);
-			var publicKey = keyPair.ExportParameters(false);
-
-			// Ultimately the private key information must be what is returned through the AccessTokenSigningPrivateKey property.
-			return privateKey;
-#endif
-		}
-
 		#region Implementation of IAuthorizationServer
 
 		public byte[] Secret {
@@ -124,6 +74,56 @@
 			return false;
 		}
 
+		/// <summary>
+		/// Creates a symmetric secret used to sign and encrypt authorization server refresh tokens.
+		/// </summary>
+		/// <returns>A cryptographically strong symmetric key.</returns>
+		private static byte[] CreateSecret() {
+			// TODO: Replace this sample code with real code.
+			// For this sample, we just generate random secrets.
+			RandomNumberGenerator crypto = new RNGCryptoServiceProvider();
+			var secret = new byte[32]; // 256-bit symmetric key to protect all protected resources.
+			crypto.GetBytes(secret);
+			return secret;
+		}
+
+		/// <summary>
+		/// Creates the RSA key used by all the crypto service provider instances we create.
+		/// </summary>
+		/// <returns>RSA data that includes the private key.</returns>
+		private static RSAParameters CreateRSAKey() {
+#if SAMPLESONLY
+			// Since the sample authorization server and the sample resource server must work together,
+			// we hard-code a FOR SAMPLE USE ONLY key pair.  The matching public key information is hard-coded into the OAuthResourceServer sample.
+			// In a real app, the RSA parameters would typically come from a certificate that may already exist.  It may simply be the HTTPS certificate for the auth server.
+			return new RSAParameters {
+				Exponent = new byte[] { 1, 0, 1 },
+				Modulus = new byte[] { 210, 95, 53, 12, 203, 114, 150, 23, 23, 88, 4, 200, 47, 219, 73, 54, 146, 253, 126, 121, 105, 91, 118, 217, 182, 167, 140, 6, 67, 112, 97, 183, 66, 112, 245, 103, 136, 222, 205, 28, 196, 45, 6, 223, 192, 76, 56, 180, 90, 120, 144, 19, 31, 193, 37, 129, 186, 214, 36, 53, 204, 53, 108, 133, 112, 17, 133, 244, 3, 12, 230, 29, 243, 51, 79, 253, 10, 111, 185, 23, 74, 230, 99, 94, 78, 49, 209, 39, 95, 213, 248, 212, 22, 4, 222, 145, 77, 190, 136, 230, 134, 70, 228, 241, 194, 216, 163, 234, 52, 1, 64, 181, 139, 128, 90, 255, 214, 60, 168, 233, 254, 110, 31, 102, 58, 67, 201, 33 },
+				P = new byte[] { 237, 238, 79, 75, 29, 57, 145, 201, 57, 177, 215, 108, 40, 77, 232, 237, 113, 38, 157, 195, 174, 134, 188, 175, 121, 28, 11, 236, 80, 146, 12, 38, 8, 12, 104, 46, 6, 247, 14, 149, 196, 23, 130, 116, 141, 137, 225, 74, 84, 111, 44, 163, 55, 10, 246, 154, 195, 158, 186, 241, 162, 11, 217, 77 },
+				Q = new byte[] { 226, 89, 29, 67, 178, 205, 30, 152, 184, 165, 15, 152, 131, 245, 141, 80, 150, 3, 224, 136, 188, 248, 149, 36, 200, 250, 207, 156, 224, 79, 150, 191, 84, 214, 233, 173, 95, 192, 55, 123, 124, 255, 53, 85, 11, 233, 156, 66, 14, 27, 27, 163, 108, 199, 90, 37, 118, 38, 78, 171, 80, 26, 101, 37 },
+				DP = new byte[] { 108, 176, 122, 132, 131, 187, 50, 191, 203, 157, 84, 29, 82, 100, 20, 205, 178, 236, 195, 17, 10, 254, 253, 222, 226, 226, 79, 8, 10, 222, 76, 178, 106, 230, 208, 8, 134, 162, 1, 133, 164, 232, 96, 109, 193, 226, 132, 138, 33, 252, 15, 86, 23, 228, 232, 54, 86, 186, 130, 7, 179, 208, 217, 217 },
+				DQ = new byte[] { 175, 63, 252, 46, 140, 99, 208, 138, 194, 123, 218, 101, 101, 214, 91, 65, 199, 196, 220, 182, 66, 73, 221, 128, 11, 180, 85, 198, 202, 206, 20, 147, 179, 102, 106, 170, 247, 245, 229, 127, 81, 58, 111, 218, 151, 76, 154, 213, 114, 2, 127, 21, 187, 133, 102, 64, 151, 7, 245, 229, 34, 50, 45, 153 },
+				InverseQ = new byte[] { 137, 156, 11, 248, 118, 201, 135, 145, 134, 121, 14, 162, 149, 14, 98, 84, 108, 160, 27, 91, 230, 116, 216, 181, 200, 49, 34, 254, 119, 153, 179, 52, 231, 234, 36, 148, 71, 161, 182, 171, 35, 182, 46, 164, 179, 100, 226, 71, 119, 23, 0, 16, 240, 4, 30, 57, 76, 109, 89, 131, 56, 219, 71, 206 },
+				D = new byte[] { 108, 15, 123, 176, 150, 208, 197, 72, 23, 53, 159, 63, 53, 85, 238, 197, 153, 187, 156, 187, 192, 226, 186, 170, 26, 168, 245, 196, 65, 223, 248, 81, 170, 79, 91, 191, 83, 15, 31, 77, 39, 119, 249, 143, 245, 183, 49, 105, 115, 15, 122, 242, 87, 221, 94, 230, 196, 146, 59, 7, 103, 94, 9, 223, 146, 180, 189, 86, 190, 94, 242, 59, 32, 54, 23, 181, 124, 170, 63, 172, 90, 158, 169, 140, 6, 102, 170, 0, 135, 199, 35, 196, 212, 238, 196, 56, 14, 0, 140, 197, 169, 240, 156, 43, 182, 123, 102, 79, 89, 20, 120, 171, 43, 223, 58, 190, 230, 166, 185, 162, 186, 226, 31, 206, 196, 188, 104, 1 },
+			};
+#else
+			// This is how you could generate your own public/private key pair.  
+			// As we generate a new random key, we need to set the UseMachineKeyStore flag so that this doesn't
+			// crash on IIS. For more information: 
+			// http://social.msdn.microsoft.com/Forums/en-US/clr/thread/7ea48fd0-8d6b-43ed-b272-1a0249ae490f?prof=required
+			var cspParameters = new CspParameters();
+			cspParameters.Flags = CspProviderFlags.UseArchivableKey | CspProviderFlags.UseMachineKeyStore;
+			var keyPair = new RSACryptoServiceProvider(cspParameters);
+
+			// After exporting the private/public key information, read the information out and store it somewhere
+			var privateKey = keyPair.ExportParameters(true);
+			var publicKey = keyPair.ExportParameters(false);
+
+			// Ultimately the private key information must be what is returned through the AccessTokenSigningPrivateKey property.
+			return privateKey;
+#endif
+		}
+
 		private bool IsAuthorizationValid(HashSet<string> requestedScopes, string clientIdentifier, DateTime issuedUtc, string username) {
 			var grantedScopeStrings = from auth in MvcApplication.DataContext.ClientAuthorizations
 									  where
diff --git a/src/DotNetOpenAuth/AsymmetricCryptoKeyStoreWrapper.cs b/src/DotNetOpenAuth/AsymmetricCryptoKeyStoreWrapper.cs
index 203d6ab..ff859ab 100644
--- a/src/DotNetOpenAuth/AsymmetricCryptoKeyStoreWrapper.cs
+++ b/src/DotNetOpenAuth/AsymmetricCryptoKeyStoreWrapper.cs
@@ -99,8 +99,12 @@ namespace DotNetOpenAuth {
 		/// <summary>
 		/// Decrypts the specified key.
 		/// </summary>
+		/// <param name="bucket">The bucket.</param>
+		/// <param name="handle">The handle.</param>
 		/// <param name="encryptedCryptoKey">The encrypted key.</param>
-		/// <returns>The decrypted key.</returns>
+		/// <returns>
+		/// The decrypted key.
+		/// </returns>
 		private CryptoKey Decrypt(string bucket, string handle, CryptoKey encryptedCryptoKey) {
 			if (encryptedCryptoKey == null) {
 				return null;
@@ -140,7 +144,7 @@ namespace DotNetOpenAuth {
 			}
 
 			/// <summary>
-			/// Gets or sets the encrypted key.
+			/// Gets the encrypted key.
 			/// </summary>
 			internal byte[] EncryptedKey { get; private set; }
 
diff --git a/src/DotNetOpenAuth/CryptoKey.cs b/src/DotNetOpenAuth/CryptoKey.cs
index 7a4f788..f491551 100644
--- a/src/DotNetOpenAuth/CryptoKey.cs
+++ b/src/DotNetOpenAuth/CryptoKey.cs
@@ -7,9 +7,9 @@
 namespace DotNetOpenAuth {
 	using System;
 	using System.Collections.Generic;
+	using System.Diagnostics.Contracts;
 	using System.Linq;
 	using System.Text;
-	using System.Diagnostics.Contracts;
 	using DotNetOpenAuth.Messaging;
 
 	/// <summary>
@@ -67,7 +67,7 @@ namespace DotNetOpenAuth {
 		/// </returns>
 		/// <exception cref="T:System.NullReferenceException">
 		/// The <paramref name="obj"/> parameter is null.
-		///   </exception>
+		/// </exception>
 		public override bool Equals(object obj) {
 			var other = obj as CryptoKey;
 			if (other == null) {
diff --git a/src/DotNetOpenAuth/ICryptoKeyStore.cs b/src/DotNetOpenAuth/ICryptoKeyStore.cs
index d2a5147..cc96b99 100644
--- a/src/DotNetOpenAuth/ICryptoKeyStore.cs
+++ b/src/DotNetOpenAuth/ICryptoKeyStore.cs
@@ -62,8 +62,13 @@ namespace DotNetOpenAuth {
 	[ContractClassFor(typeof(ICryptoKeyStore))]
 	internal abstract class ICryptoKeyStoreContract : ICryptoKeyStore {
 		/// <summary>
-		/// See the <see cref="ICryptoKeyStore"/> interface.
+		/// Gets the key in a given bucket and handle.
 		/// </summary>
+		/// <param name="bucket">The bucket name.  Case sensitive.</param>
+		/// <param name="handle">The key handle.  Case sensitive.</param>
+		/// <returns>
+		/// The cryptographic key, or <c>null</c> if no matching key was found.
+		/// </returns>
 		CryptoKey ICryptoKeyStore.GetKey(string bucket, string handle) {
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(bucket));
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(handle));
@@ -71,8 +76,12 @@ namespace DotNetOpenAuth {
 		}
 
 		/// <summary>
-		/// See the <see cref="ICryptoKeyStore"/> interface.
+		/// Gets a sequence of existing keys within a given bucket.
 		/// </summary>
+		/// <param name="bucket">The bucket name.  Case sensitive.</param>
+		/// <returns>
+		/// A sequence of handles and keys, ordered by descending <see cref="CryptoKey.ExpiresUtc"/>.
+		/// </returns>
 		IEnumerable<KeyValuePair<string, CryptoKey>> ICryptoKeyStore.GetKeys(string bucket) {
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(bucket));
 			Contract.Ensures(Contract.Result<IEnumerable<KeyValuePair<string, CryptoKey>>>() != null);
@@ -80,8 +89,12 @@ namespace DotNetOpenAuth {
 		}
 
 		/// <summary>
-		/// See the <see cref="ICryptoKeyStore"/> interface.
+		/// Stores a cryptographic key.
 		/// </summary>
+		/// <param name="bucket">The name of the bucket to store the key in.  Case sensitive.</param>
+		/// <param name="handle">The handle to the key, unique within the bucket.  Case sensitive.</param>
+		/// <param name="key">The key to store.</param>
+		/// <exception cref="CryptoKeyCollisionException">Thrown in the event of a conflict with an existing key in the same bucket and with the same handle.</exception>
 		void ICryptoKeyStore.StoreKey(string bucket, string handle, CryptoKey key) {
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(bucket));
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(handle));
@@ -90,8 +103,10 @@ namespace DotNetOpenAuth {
 		}
 
 		/// <summary>
-		/// See the <see cref="ICryptoKeyStore"/> interface.
+		/// Removes the key.
 		/// </summary>
+		/// <param name="bucket">The bucket name.  Case sensitive.</param>
+		/// <param name="handle">The key handle.  Case sensitive.</param>
 		void ICryptoKeyStore.RemoveKey(string bucket, string handle) {
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(bucket));
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(handle));
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
index fc37954..6ff62a3 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
@@ -304,7 +304,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <summary>
 		/// Initializes the binding elements.
 		/// </summary>
-		/// <param name="associationStore">The association store.</param>
+		/// <param name="cryptoKeyStore">The crypto key store.</param>
 		/// <param name="nonceStore">The nonce store to use.</param>
 		/// <param name="securitySettings">The security settings to apply.  Must be an instance of either <see cref="RelyingPartySecuritySettings"/> or <see cref="ProviderSecuritySettings"/>.</param>
 		/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
index fea68d0..939f4f6 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
@@ -56,8 +56,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <summary>
 		/// Initializes a new instance of the <see cref="ReturnToSignatureBindingElement"/> class.
 		/// </summary>
-		/// <param name="secretStore">The secret store from which to retrieve the secret used for signing.</param>
-		/// <param name="securitySettings">The security settings.</param>
+		/// <param name="cryptoKeyStore">The crypto key store.</param>
 		internal ReturnToSignatureBindingElement(ICryptoKeyStore cryptoKeyStore) {
 			Contract.Requires<ArgumentNullException>(cryptoKeyStore != null);
 
diff --git a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
index 24bb8b0..e8c8881 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
@@ -572,13 +572,26 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		/// association handle encoding modes.
 		/// </summary>
 		private class SwitchingAssociationStore : IProviderAssociationStore {
+			/// <summary>
+			/// The security settings of the Provider.
+			/// </summary>
 			private readonly ProviderSecuritySettings securitySettings;
 
+			/// <summary>
+			/// The association store that records association secrets in the association handles themselves.
+			/// </summary>
 			private IProviderAssociationStore associationHandleEncoder;
 
+			/// <summary>
+			/// The association store that records association secrets in a secret store.
+			/// </summary>
 			private IProviderAssociationStore associationSecretStorage;
 
-
+			/// <summary>
+			/// Initializes a new instance of the <see cref="SwitchingAssociationStore"/> class.
+			/// </summary>
+			/// <param name="cryptoKeyStore">The crypto key store.</param>
+			/// <param name="securitySettings">The security settings.</param>
 			internal SwitchingAssociationStore(ICryptoKeyStore cryptoKeyStore, ProviderSecuritySettings securitySettings) {
 				Contract.Requires<ArgumentNullException>(cryptoKeyStore != null, "cryptoKeyStore");
 				Contract.Requires<ArgumentNullException>(securitySettings != null, "securitySettings");
@@ -588,14 +601,36 @@ namespace DotNetOpenAuth.OpenId.Provider {
 				this.associationSecretStorage = new ProviderAssociationKeyStorage(cryptoKeyStore);
 			}
 
+			/// <summary>
+			/// Gets the association store that applies given the Provider's current security settings.
+			/// </summary>
 			internal IProviderAssociationStore AssociationStore {
 				get { return this.securitySettings.EncodeAssociationSecretsInHandles ? this.associationHandleEncoder : this.associationSecretStorage; }
 			}
 
+			/// <summary>
+			/// Stores an association and returns a handle for it.
+			/// </summary>
+			/// <param name="secret">The association secret.</param>
+			/// <param name="expiresUtc">The UTC time that the association should expire.</param>
+			/// <param name="privateAssociation">A value indicating whether this is a private association.</param>
+			/// <returns>
+			/// The association handle that represents this association.
+			/// </returns>
 			public string Serialize(byte[] secret, DateTime expiresUtc, bool privateAssociation) {
 				return this.AssociationStore.Serialize(secret, expiresUtc, privateAssociation);
 			}
 
+			/// <summary>
+			/// Retrieves an association given an association handle.
+			/// </summary>
+			/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+			/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+			/// <param name="handle">The association handle.</param>
+			/// <returns>
+			/// An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).
+			/// </returns>
+			/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
 			public Association Deserialize(IProtocolMessage containingMessage, bool isPrivateAssociation, string handle) {
 				return this.AssociationStore.Deserialize(containingMessage, isPrivateAssociation, handle);
 			}
diff --git a/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationKeyStorage.cs b/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationKeyStorage.cs
index 4626e88..3ddf943 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationKeyStorage.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationKeyStorage.cs
@@ -6,24 +6,47 @@
 
 namespace DotNetOpenAuth.OpenId.Provider {
 	using System;
-	using System.Collections.Generic;
-	using System.Linq;
-	using System.Text;
 	using System.Diagnostics.Contracts;
 	using DotNetOpenAuth.Messaging;
 
+	/// <summary>
+	/// An association storage mechanism that stores the association secrets in a private store,
+	/// and returns randomly generated association handles to refer to these secrets.
+	/// </summary>
 	internal class ProviderAssociationKeyStorage : IProviderAssociationStore {
+		/// <summary>
+		/// The bucket to use when recording shared associations.
+		/// </summary>
 		private const string SharedAssociationBucket = "https://localhost/dnoa/shared_associations";
 
+		/// <summary>
+		/// The bucket to use when recording private associations.
+		/// </summary>
 		private const string PrivateAssociationBucket = "https://localhost/dnoa/private_associations";
 
+		/// <summary>
+		/// The backing crypto key store.
+		/// </summary>
 		private readonly ICryptoKeyStore cryptoKeyStore;
 
+		/// <summary>
+		/// Initializes a new instance of the <see cref="ProviderAssociationKeyStorage"/> class.
+		/// </summary>
+		/// <param name="cryptoKeyStore">The store where association secrets will be recorded.</param>
 		internal ProviderAssociationKeyStorage(ICryptoKeyStore cryptoKeyStore) {
 			Contract.Requires<ArgumentNullException>(cryptoKeyStore != null, "cryptoKeyStore");
 			this.cryptoKeyStore = cryptoKeyStore;
 		}
 
+		/// <summary>
+		/// Stores an association and returns a handle for it.
+		/// </summary>
+		/// <param name="secret">The association secret.</param>
+		/// <param name="expiresUtc">The UTC time that the association should expire.</param>
+		/// <param name="privateAssociation">A value indicating whether this is a private association.</param>
+		/// <returns>
+		/// The association handle that represents this association.
+		/// </returns>
 		public string Serialize(byte[] secret, DateTime expiresUtc, bool privateAssociation) {
 			string handle;
 			this.cryptoKeyStore.StoreKey(
@@ -33,6 +56,16 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			return handle;
 		}
 
+		/// <summary>
+		/// Retrieves an association given an association handle.
+		/// </summary>
+		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+		/// <param name="handle">The association handle.</param>
+		/// <returns>
+		/// An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).
+		/// </returns>
+		/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
 		public Association Deserialize(IProtocolMessage containingMessage, bool isPrivateAssociation, string handle) {
 			var key = this.cryptoKeyStore.GetKey(isPrivateAssociation ? PrivateAssociationBucket : SharedAssociationBucket, handle);
 			if (key != null) {
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/CryptoKeyStoreAsRelyingPartyAssociationStore.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/CryptoKeyStoreAsRelyingPartyAssociationStore.cs
index 8fc5f0e..3b48a4b 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/CryptoKeyStoreAsRelyingPartyAssociationStore.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/CryptoKeyStoreAsRelyingPartyAssociationStore.cs
@@ -6,10 +6,8 @@
 
 namespace DotNetOpenAuth.OpenId.RelyingParty {
 	using System;
-	using System.Collections.Generic;
-	using System.Linq;
-	using System.Text;
 	using System.Diagnostics.Contracts;
+	using System.Linq;
 
 	/// <summary>
 	/// Wraps a standard <see cref="ICryptoKeyStore"/> so that it behaves as an association store.