Created an IProviderAssociationStore interface so that encoding the association into the handle is just one option.

30 files changed, 270 insertions, 140 deletions

diff --git a/src/DotNetOpenAuth.Test/OpenId/AssociationHandshakeTests.cs b/src/DotNetOpenAuth.Test/OpenId/AssociationHandshakeTests.cs
index ee62084..4e207fc 100644
--- a/src/DotNetOpenAuth.Test/OpenId/AssociationHandshakeTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/AssociationHandshakeTests.cs
@@ -353,7 +353,7 @@ namespace DotNetOpenAuth.Test.OpenId {
 			if (expectSuccess) {
 				Assert.IsNotNull(rpAssociation);
 				Assert.AreSame(rpAssociation, coordinator.RelyingParty.AssociationManager.AssociationStoreTestHook.GetAssociation(opDescription.Uri, rpAssociation.Handle));
-				opAssociation = coordinator.Provider.AssociationStore.Decode(new TestSignedDirectedMessage(), AssociationRelyingPartyType.Smart, rpAssociation.Handle);
+				opAssociation = coordinator.Provider.AssociationStore.Deserialize(new TestSignedDirectedMessage(), false, rpAssociation.Handle);
 				Assert.IsNotNull(opAssociation, "The Provider could not decode the association handle.");
 
 				Assert.AreEqual(opAssociation.Handle, rpAssociation.Handle);
diff --git a/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs b/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
index 9e5c754..63e9fdc 100644
--- a/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/AuthenticationTests.cs
@@ -139,7 +139,7 @@ namespace DotNetOpenAuth.Test.OpenId {
 			Contract.Requires<ArgumentException>(!statelessRP || !sharedAssociation, "The RP cannot be stateless while sharing an association with the OP.");
 			Contract.Requires<ArgumentException>(positive || !tamper, "Cannot tamper with a negative response.");
 			var securitySettings = new ProviderSecuritySettings();
-			var associationStore = new ProviderAssociationStore();
+			var associationStore = new ProviderAssociationHandleEncoder();
 			Association association = sharedAssociation ? HmacShaAssociation.Create(protocol, protocol.Args.SignatureAlgorithm.Best, AssociationRelyingPartyType.Smart, associationStore, securitySettings) : null;
 			var coordinator = new OpenIdCoordinator(
 				rp => {
@@ -197,7 +197,7 @@ namespace DotNetOpenAuth.Test.OpenId {
 					}
 				},
 				op => {
-					op.AssociationStore.Secret = associationStore.Secret;
+					((ProviderAssociationHandleEncoder)op.AssociationStore).Secret = associationStore.Secret;
 					var request = op.Channel.ReadFromRequest<CheckIdRequest>();
 					Assert.IsNotNull(request);
 					IProtocolMessage response;
diff --git a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/SigningBindingElementTests.cs b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/SigningBindingElementTests.cs
index dbbe7f0..56b6b9a 100644
--- a/src/DotNetOpenAuth.Test/OpenId/ChannelElements/SigningBindingElementTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/ChannelElements/SigningBindingElementTests.cs
@@ -23,9 +23,9 @@ namespace DotNetOpenAuth.Test.OpenId.ChannelElements {
 		public void SignaturesMatchKnownGood() {
 			Protocol protocol = Protocol.V20;
 			var settings = new ProviderSecuritySettings();
-			var store = new ProviderAssociationStore();
+			var store = new ProviderAssociationHandleEncoder();
 			byte[] associationSecret = Convert.FromBase64String("rsSwv1zPWfjPRQU80hciu8FPDC+GONAMJQ/AvSo1a2M=");
-			string handle = store.Encode(new AssociationDataBag { Secret = associationSecret, ExpiresUtc = DateTime.UtcNow.AddDays(1), AssociationType = AssociationRelyingPartyType.Smart });
+			string handle = store.Serialize(associationSecret, DateTime.UtcNow.AddDays(1), false);
 			Association association = HmacShaAssociation.Create(handle, associationSecret, TimeSpan.FromDays(1));
 			SigningBindingElement signer = new SigningBindingElement(store, settings);
 			signer.Channel = new TestChannel(this.MessageDescriptions);
@@ -45,7 +45,7 @@ namespace DotNetOpenAuth.Test.OpenId.ChannelElements {
 		[TestCase]
 		public void SignedResponsesIncludeExtraDataInSignature() {
 			Protocol protocol = Protocol.Default;
-			SigningBindingElement sbe = new SigningBindingElement(new ProviderAssociationStore(), new ProviderSecuritySettings());
+			SigningBindingElement sbe = new SigningBindingElement(new ProviderAssociationHandleEncoder(), new ProviderSecuritySettings());
 			sbe.Channel = new TestChannel(this.MessageDescriptions);
 			IndirectSignedResponse response = new IndirectSignedResponse(protocol.Version, RPUri);
 			response.ReturnTo = RPUri;
diff --git a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionTestUtilities.cs b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionTestUtilities.cs
index fc1c98b..4ca2c90 100644
--- a/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionTestUtilities.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/Extensions/ExtensionTestUtilities.cs
@@ -34,7 +34,7 @@ namespace DotNetOpenAuth.Test.OpenId.Extensions {
 			IEnumerable<IOpenIdMessageExtension> requests,
 			IEnumerable<IOpenIdMessageExtension> responses) {
 			var securitySettings = new ProviderSecuritySettings();
-			var associationStore = new ProviderAssociationStore();
+			var associationStore = new ProviderAssociationHandleEncoder();
 			Association association = HmacShaAssociation.Create(protocol, protocol.Args.SignatureAlgorithm.Best, AssociationRelyingPartyType.Smart, associationStore, securitySettings);
 			var coordinator = new OpenIdCoordinator(
 				rp => {
@@ -58,7 +58,7 @@ namespace DotNetOpenAuth.Test.OpenId.Extensions {
 				},
 				op => {
 					RegisterExtension(op.Channel, Mocks.MockOpenIdExtension.Factory);
-					op.AssociationStore.Secret = associationStore.Secret;
+					((ProviderAssociationHandleEncoder)op.AssociationStore).Secret = associationStore.Secret;
 					var request = op.Channel.ReadFromRequest<CheckIdRequest>();
 					var response = new PositiveAssertionResponse(request);
 					var receivedRequests = request.Extensions.Cast<IOpenIdMessageExtension>();
diff --git a/src/DotNetOpenAuth/DotNetOpenAuth.csproj b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
index ed3f63f..931366c 100644
--- a/src/DotNetOpenAuth/DotNetOpenAuth.csproj
+++ b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
@@ -496,9 +496,10 @@ http://opensource.org/licenses/ms-pl.html
     <Compile Include="Messaging\ProtocolException.cs" />
     <Compile Include="OpenId\Association.cs" />
     <Compile Include="OpenId\Provider\AssociationDataBag.cs" />
+    <Compile Include="OpenId\Provider\IProviderAssociationStore.cs" />
     <Compile Include="OpenId\RelyingParty\AssociationMemoryStore.cs" />
-    <Compile Include="OpenId\Provider\ProviderAssociationStore.cs" />
-    <Compile Include="OpenId\RelyingParty\IAssociationStore.cs" />
+    <Compile Include="OpenId\Provider\ProviderAssociationHandleEncoder.cs" />
+    <Compile Include="OpenId\RelyingParty\IRelyingPartyAssociationStore.cs" />
     <Compile Include="OpenId\RelyingParty\Associations.cs" />
     <Compile Include="OpenId\Behaviors\AXFetchAsSregTransform.cs" />
     <Compile Include="OpenId\Behaviors\BehaviorStrings.Designer.cs">
diff --git a/src/DotNetOpenAuth/OpenId/Association.cs b/src/DotNetOpenAuth/OpenId/Association.cs
index 0a59a7d..25b4ea4 100644
--- a/src/DotNetOpenAuth/OpenId/Association.cs
+++ b/src/DotNetOpenAuth/OpenId/Association.cs
@@ -160,7 +160,7 @@ namespace DotNetOpenAuth.OpenId {
 		/// <returns>
 		/// The newly dehydrated <see cref="Association"/>, which can be returned
 		/// from a custom association store's 
-		/// <see cref="IAssociationStore.GetAssociation(Uri, SecuritySettings)"/> method.
+		/// <see cref="IRelyingPartyAssociationStore.GetAssociation(Uri, SecuritySettings)"/> method.
 		/// </returns>
 		public static Association Deserialize(string handle, DateTime expiresUtc, byte[] privateData) {
 			Contract.Requires<ArgumentNullException>(!String.IsNullOrEmpty(handle));
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
index 5350e6c..0acd796 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/OpenIdChannel.cs
@@ -49,7 +49,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="associationStore">The association store to use.</param>
 		/// <param name="nonceStore">The nonce store to use.</param>
 		/// <param name="securitySettings">The security settings to apply.</param>
-		internal OpenIdChannel(IAssociationStore associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
+		internal OpenIdChannel(IRelyingPartyAssociationStore associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings)
 			: this(associationStore, nonceStore, new OpenIdMessageFactory(), securitySettings, false) {
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 		}
@@ -61,7 +61,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="associationStore">The OpenID Provider's association store or handle encoder.</param>
 		/// <param name="nonceStore">The nonce store to use.</param>
 		/// <param name="securitySettings">The security settings.</param>
-		internal OpenIdChannel(ProviderAssociationStore associationStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings)
+		internal OpenIdChannel(IProviderAssociationStore associationStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings)
 			: this(associationStore, nonceStore, new OpenIdMessageFactory(), securitySettings) {
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
@@ -76,7 +76,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
 		/// <param name="securitySettings">The security settings to apply.</param>
 		/// <param name="nonVerifying">A value indicating whether the channel is set up with no functional security binding elements.</param>
-		private OpenIdChannel(IAssociationStore associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
+		private OpenIdChannel(IRelyingPartyAssociationStore associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, RelyingPartySecuritySettings securitySettings, bool nonVerifying) :
 			this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings, nonVerifying)) {
 			Contract.Requires<ArgumentNullException>(messageTypeProvider != null);
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
@@ -91,7 +91,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <param name="nonceStore">The nonce store to use.</param>
 		/// <param name="messageTypeProvider">An object that knows how to distinguish the various OpenID message types for deserialization purposes.</param>
 		/// <param name="securitySettings">The security settings.</param>
-		private OpenIdChannel(ProviderAssociationStore associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, ProviderSecuritySettings securitySettings) :
+		private OpenIdChannel(IProviderAssociationStore associationStore, INonceStore nonceStore, IMessageFactory messageTypeProvider, ProviderSecuritySettings securitySettings) :
 			this(messageTypeProvider, InitializeBindingElements(associationStore, nonceStore, securitySettings)) {
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(messageTypeProvider != null);
@@ -311,7 +311,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <returns>
 		/// An array of binding elements which may be used to construct the channel.
 		/// </returns>
-		private static IChannelBindingElement[] InitializeBindingElements(IAssociationStore associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying) {
+		private static IChannelBindingElement[] InitializeBindingElements(IRelyingPartyAssociationStore associationStore, INonceStore nonceStore, RelyingPartySecuritySettings securitySettings, bool nonVerifying) {
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 
 			SigningBindingElement signingElement;
@@ -364,7 +364,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <returns>
 		/// An array of binding elements which may be used to construct the channel.
 		/// </returns>
-		private static IChannelBindingElement[] InitializeBindingElements(ProviderAssociationStore associationStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) {
+		private static IChannelBindingElement[] InitializeBindingElements(IProviderAssociationStore associationStore, INonceStore nonceStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 			Contract.Requires<ArgumentNullException>(nonceStore != null, "nonceStore");
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
index aba5dbd..eee7509 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/ReturnToSignatureBindingElement.cs
@@ -52,7 +52,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// </summary>
 		/// <param name="secretStore">The secret store from which to retrieve the secret used for signing.</param>
 		/// <param name="securitySettings">The security settings.</param>
-		internal ReturnToSignatureBindingElement(IAssociationStore secretStore, RelyingPartySecuritySettings securitySettings) {
+		internal ReturnToSignatureBindingElement(IRelyingPartyAssociationStore secretStore, RelyingPartySecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(secretStore != null);
 
 			this.secretManager = new PrivateSecretManager(securitySettings, secretStore);
diff --git a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
index 444098e..e8ef531 100644
--- a/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
+++ b/src/DotNetOpenAuth/OpenId/ChannelElements/SigningBindingElement.cs
@@ -28,12 +28,12 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// <summary>
 		/// The association store used by Relying Parties to look up the secrets needed for signing.
 		/// </summary>
-		private readonly IAssociationStore rpAssociations;
+		private readonly IRelyingPartyAssociationStore rpAssociations;
 
 		/// <summary>
 		/// The association store used by Providers to look up the secrets needed for signing.
 		/// </summary>
-		private readonly ProviderAssociationStore opAssociations;
+		private readonly IProviderAssociationStore opAssociations;
 
 		/// <summary>
 		/// The security settings at the Provider.
@@ -45,7 +45,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// Initializes a new instance of the SigningBindingElement class for use by a Relying Party.
 		/// </summary>
 		/// <param name="associationStore">The association store used to look up the secrets needed for signing.  May be null for dumb Relying Parties.</param>
-		internal SigningBindingElement(IAssociationStore associationStore) {
+		internal SigningBindingElement(IRelyingPartyAssociationStore associationStore) {
 			this.rpAssociations = associationStore;
 		}
 
@@ -54,7 +54,7 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 		/// </summary>
 		/// <param name="associationStore">The association store used to look up the secrets needed for signing.</param>
 		/// <param name="securitySettings">The security settings.</param>
-		internal SigningBindingElement(ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		internal SigningBindingElement(IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 
@@ -378,8 +378,8 @@ namespace DotNetOpenAuth.OpenId.ChannelElements {
 					// Since we have an association handle, we're either signing with a smart association,
 					// or verifying a dumb one.
 					bool signing = string.IsNullOrEmpty(signedMessage.Signature);
-					AssociationRelyingPartyType type = signing ? AssociationRelyingPartyType.Smart : AssociationRelyingPartyType.Dumb;
-					association = this.opAssociations.Decode(signedMessage, type, signedMessage.AssociationHandle);
+					bool isPrivateAssociation = !signing;
+					association = this.opAssociations.Deserialize(signedMessage, isPrivateAssociation, signedMessage.AssociationHandle);
 					if (association == null) {
 						// There was no valid association with the requested handle.
 						// Let's tell the RP to forget about that association.
diff --git a/src/DotNetOpenAuth/OpenId/HmacShaAssociation.cs b/src/DotNetOpenAuth/OpenId/HmacShaAssociation.cs
index 4fa88e9..168960f 100644
--- a/src/DotNetOpenAuth/OpenId/HmacShaAssociation.cs
+++ b/src/DotNetOpenAuth/OpenId/HmacShaAssociation.cs
@@ -152,7 +152,7 @@ namespace DotNetOpenAuth.OpenId {
 		/// <remarks>
 		/// The new association is NOT automatically put into an association store.  This must be done by the caller.
 		/// </remarks>
-		internal static HmacShaAssociation Create(Protocol protocol, string associationType, AssociationRelyingPartyType associationUse, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		internal static HmacShaAssociation Create(Protocol protocol, string associationType, AssociationRelyingPartyType associationUse, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(protocol != null);
 			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(associationType));
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
@@ -173,7 +173,7 @@ namespace DotNetOpenAuth.OpenId {
 				lifetime = DumbSecretLifetime;
 			}
 
-			string handle = associationStore.Encode(new AssociationDataBag { ExpiresUtc = DateTime.UtcNow + lifetime, Secret = secret, AssociationType = associationUse });
+			string handle = associationStore.Serialize(secret, DateTime.UtcNow + lifetime, associationUse == AssociationRelyingPartyType.Dumb);
 
 			Contract.Assert(protocol != null); // All the way up to the method call, the condition holds, yet we get a Requires failure next
 			Contract.Assert(secret != null);
diff --git a/src/DotNetOpenAuth/OpenId/Messages/AssociateDiffieHellmanResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/AssociateDiffieHellmanResponse.cs
index d0d9c08..5237826 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/AssociateDiffieHellmanResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/AssociateDiffieHellmanResponse.cs
@@ -75,7 +75,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		/// The response message is updated to include the details of the created association by this method,
 		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.
 		/// </remarks>
-		protected override Association CreateAssociationAtProvider(AssociateRequest request, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			var diffieHellmanRequest = request as AssociateDiffieHellmanRequest;
 			ErrorUtilities.VerifyInternal(diffieHellmanRequest != null, "Expected a DH request type.");
 
diff --git a/src/DotNetOpenAuth/OpenId/Messages/AssociateRequest.cs b/src/DotNetOpenAuth/OpenId/Messages/AssociateRequest.cs
index ea7e3c6..04d566e 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/AssociateRequest.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/AssociateRequest.cs
@@ -140,7 +140,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		///   <para>Successful association response messages will derive from <see cref="AssociateSuccessfulResponse"/>.
 		/// Failed association response messages will derive from <see cref="AssociateUnsuccessfulResponse"/>.</para>
 		/// </remarks>
-		internal IProtocolMessage CreateResponse(ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		internal IProtocolMessage CreateResponse(IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 
diff --git a/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponse.cs
index db4937e..42d8816 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponse.cs
@@ -109,7 +109,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		/// This method is called by both the Provider and the Relying Party, but actually performs
 		/// quite different operations in either scenario.
 		/// </remarks>
-		internal Association CreateAssociation(AssociateRequest request, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		internal Association CreateAssociation(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(request != null);
 			ErrorUtilities.VerifyInternal(!this.associationCreated, "The association has already been created.");
 
@@ -147,7 +147,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		///   <para>The response message is updated to include the details of the created association by this method,
 		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.</para>
 		/// </remarks>
-		protected abstract Association CreateAssociationAtProvider(AssociateRequest request, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings);
+		protected abstract Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings);
 
 		/// <summary>
 		/// Called to create the Association based on a request previously given by the Relying Party.
diff --git a/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponseContract.cs b/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponseContract.cs
index c2e7a86..134d980 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponseContract.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/AssociateSuccessfulResponseContract.cs
@@ -15,7 +15,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		protected AssociateSuccessfulResponseContract() : base(null, null) {
 		}
 
-		protected override Association CreateAssociationAtProvider(AssociateRequest request, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(request != null);
 			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
diff --git a/src/DotNetOpenAuth/OpenId/Messages/AssociateUnencryptedResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/AssociateUnencryptedResponse.cs
index 3647404..7e2194a 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/AssociateUnencryptedResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/AssociateUnencryptedResponse.cs
@@ -51,7 +51,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 		///   <para>The response message is updated to include the details of the created association by this method,
 		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.</para>
 		/// </remarks>
-		protected override Association CreateAssociationAtProvider(AssociateRequest request, ProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
 			Association association = HmacShaAssociation.Create(Protocol, this.AssociationType, AssociationRelyingPartyType.Smart, associationStore, securitySettings);
 			this.MacKey = association.SecretKey;
 			return association;
diff --git a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
index 5d10ca4..f4d5243 100644
--- a/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/Messages/CheckAuthenticationResponse.cs
@@ -47,7 +47,7 @@ namespace DotNetOpenAuth.OpenId.Messages {
 			// is not valid (any longer).  OpenID 2.0 section 11.4.2.2.
 			IndirectSignedResponse signedResponse = new IndirectSignedResponse(request, provider.Channel);
 			string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
-			if (!string.IsNullOrEmpty(invalidateHandle) && !provider.AssociationStore.IsValid(signedResponse, AssociationRelyingPartyType.Smart, invalidateHandle)) {
+			if (!string.IsNullOrEmpty(invalidateHandle) && !provider.AssociationStore.IsValid(signedResponse, false, invalidateHandle)) {
 				this.InvalidateHandle = invalidateHandle;
 			}
 		}
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs b/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs
index 04eb23c..15e448b 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdUtilities.cs
@@ -23,7 +23,7 @@ namespace DotNetOpenAuth.OpenId {
 	/// <summary>
 	/// A set of utilities especially useful to OpenID.
 	/// </summary>
-	public static class OpenIdUtilities {
+	internal static class OpenIdUtilities {
 		/// <summary>
 		/// The prefix to designate this library's proprietary parameters added to the protocol.
 		/// </summary>
@@ -156,5 +156,26 @@ namespace DotNetOpenAuth.OpenId {
 			ErrorUtilities.VerifyOperation(aggregator != null, OpenIdStrings.UnsupportedChannelConfiguration);
 			return aggregator.Factories;
 		}
+
+		/// <summary>
+		/// Determines whether the association with the specified handle is (still) valid.
+		/// </summary>
+		/// <param name="associationStore">The association store.</param>
+		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+		/// <param name="handle">The association handle.</param>
+		/// <returns>
+		///   <c>true</c> if the specified containing message is valid; otherwise, <c>false</c>.
+		/// </returns>
+		internal static bool IsValid(this IProviderAssociationStore associationStore, IProtocolMessage containingMessage, bool isPrivateAssociation, string handle) {
+			Contract.Requires<ArgumentNullException>(associationStore != null, "associationStore");
+			Contract.Requires<ArgumentNullException>(containingMessage != null, "containingMessage");
+			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(handle));
+			try {
+				return associationStore.Deserialize(containingMessage, isPrivateAssociation, handle) != null;
+			} catch (ProtocolException) {
+				return false;
+			}
+		}
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/Provider/IProviderAssociationStore.cs b/src/DotNetOpenAuth/OpenId/Provider/IProviderAssociationStore.cs
new file mode 100644
index 0000000..101fdda
--- /dev/null
+++ b/src/DotNetOpenAuth/OpenId/Provider/IProviderAssociationStore.cs
@@ -0,0 +1,81 @@
+//-----------------------------------------------------------------------
+// <copyright file="IProviderAssociationStore.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId.Provider {
+	using System;
+	using System.Collections.Generic;
+	using System.Diagnostics.Contracts;
+	using System.Linq;
+	using System.Text;
+	using DotNetOpenAuth.Messaging;
+
+	/// <summary>
+	/// Provides association serialization and deserialization.
+	/// </summary>
+	[ContractClass(typeof(IProviderAssociationStoreContract))]
+	public interface IProviderAssociationStore {
+		/// <summary>
+		/// Stores an association and returns a handle for it.
+		/// </summary>
+		/// <param name="secret">The association secret.</param>
+		/// <param name="expiresUtc">The UTC time that the association should expire.</param>
+		/// <param name="privateAssociation">A value indicating whether this is a private association.</param>
+		/// <returns>
+		/// The association handle that represents this association.
+		/// </returns>
+		string Serialize(byte[] secret, DateTime expiresUtc, bool privateAssociation);
+
+		/// <summary>
+		/// Retrieves an association given an association handle.
+		/// </summary>
+		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+		/// <param name="handle">The association handle.</param>
+		/// <returns>
+		/// An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).
+		/// </returns>
+		/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
+		Association Deserialize(IProtocolMessage containingMessage, bool isPrivateAssociation, string handle);
+	}
+
+	/// <summary>
+	/// Code contract for the <see cref="IProviderAssociationStore"/> interface.
+	/// </summary>
+	[ContractClassFor(typeof(IProviderAssociationStore))]
+	internal abstract class IProviderAssociationStoreContract : IProviderAssociationStore {
+		/// <summary>
+		/// Stores an association and returns a handle for it.
+		/// </summary>
+		/// <param name="secret">The association secret.</param>
+		/// <param name="expiresUtc">The expires UTC.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether this is a private association.</param>
+		/// <returns>
+		/// The association handle that represents this association.
+		/// </returns>
+		string IProviderAssociationStore.Serialize(byte[] secret, DateTime expiresUtc, bool isPrivateAssociation) {
+			Contract.Requires<ArgumentNullException>(secret != null);
+			Contract.Requires<ArgumentException>(expiresUtc.Kind == DateTimeKind.Utc);
+			Contract.Ensures(!String.IsNullOrEmpty(Contract.Result<string>()));
+			throw new NotImplementedException();
+		}
+
+		/// <summary>
+		/// Retrieves an association given an association handle.
+		/// </summary>
+		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+		/// <param name="handle">The association handle.</param>
+		/// <returns>
+		/// An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).
+		/// </returns>
+		/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
+		Association IProviderAssociationStore.Deserialize(IProtocolMessage containingMessage, bool isPrivateAssociation, string handle) {
+			Contract.Requires<ArgumentNullException>(containingMessage != null, "containingMessage");
+			Contract.Requires<ArgumentException>(!String.IsNullOrEmpty(handle));
+			throw new NotImplementedException();
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
index d31f5f7..b99ac5a 100644
--- a/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
+++ b/src/DotNetOpenAuth/OpenId/Provider/OpenIdProvider.cs
@@ -79,7 +79,7 @@ namespace DotNetOpenAuth.OpenId.Provider {
 			Contract.Ensures(this.SecuritySettings != null);
 			Contract.Ensures(this.Channel != null);
 
-			this.AssociationStore = new ProviderAssociationStore();
+			this.AssociationStore = new ProviderAssociationHandleEncoder();
 			this.SecuritySettings = DotNetOpenAuthSection.Configuration.OpenId.Provider.SecuritySettings.CreateSecuritySettings();
 			this.behaviors.CollectionChanged += this.OnBehaviorsChanged;
 			foreach (var behavior in DotNetOpenAuthSection.Configuration.OpenId.Provider.Behaviors.CreateInstances(false)) {
@@ -163,6 +163,11 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
+		/// Gets or sets the association store.
+		/// </summary>
+		public IProviderAssociationStore AssociationStore { get; set; }
+
+		/// <summary>
 		/// Gets the list of services that can perform discovery on identifiers given to this relying party.
 		/// </summary>
 		internal IList<IIdentifierDiscoveryService> DiscoveryServices {
@@ -178,11 +183,6 @@ namespace DotNetOpenAuth.OpenId.Provider {
 		}
 
 		/// <summary>
-		/// Gets the association store.
-		/// </summary>
-		internal ProviderAssociationStore AssociationStore { get; private set; }
-
-		/// <summary>
 		/// Gets the relying party used for discovery of identifiers sent in unsolicited assertions.
 		/// </summary>
 		private RP.OpenIdRelyingParty RelyingParty {
diff --git a/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationHandleEncoder.cs b/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationHandleEncoder.cs
new file mode 100644
index 0000000..bc1882f
--- /dev/null
+++ b/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationHandleEncoder.cs
@@ -0,0 +1,102 @@
+//-----------------------------------------------------------------------
+// <copyright file="ProviderAssociationHandleEncoder.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId.Provider {
+	using System;
+	using System.Threading;
+	using DotNetOpenAuth.Messaging;
+
+	/// <summary>
+	/// Provides association storage in the association handle itself, but embedding signed and encrypted association
+	/// details in the handle.
+	/// </summary>
+	public class ProviderAssociationHandleEncoder : IProviderAssociationStore {
+		/// <summary>
+		/// The thread synchronization object.
+		/// </summary>
+		private readonly object syncObject = new object();
+
+		/// <summary>
+		/// Backing field for the <see cref="Secret"/> property.
+		/// </summary>
+		private byte[] secret;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="ProviderAssociationHandleEncoder"/> class.
+		/// </summary>
+		public ProviderAssociationHandleEncoder() {
+		}
+
+		/// <summary>
+		/// Gets or sets the symmetric secret this Provider uses for protecting messages to itself.
+		/// </summary>
+		/// <remarks>
+		/// If the value is not set by the time this property is requested, a random key will be generated.
+		/// </remarks>
+		public byte[] Secret {
+			get {
+				if (this.secret == null) {
+					lock (this.syncObject) {
+						if (this.secret == null) {
+							Logger.OpenId.Info("Generating a symmetric secret for signing and encrypting association handles.");
+							this.secret = MessagingUtilities.GetCryptoRandomData(16);
+						}
+					}
+				}
+
+				return this.secret;
+			}
+
+			set {
+				ErrorUtilities.VerifyOperation(this.secret == null, "The symmetric secret has already been set.");
+				this.secret = value;
+			}
+		}
+
+		/// <summary>
+		/// Encodes the specified association data bag.
+		/// </summary>
+		/// <param name="secret">The symmetric secret.</param>
+		/// <param name="expiresUtc">The UTC time that the association should expire.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether this is a private association.</param>
+		/// <returns>
+		/// The association handle that represents this association.
+		/// </returns>
+		public string Serialize(byte[] secret, DateTime expiresUtc, bool isPrivateAssociation) {
+			var associationDataBag = new AssociationDataBag {
+				Secret = secret,
+				IsPrivateAssociation = isPrivateAssociation,
+				ExpiresUtc = expiresUtc,
+			};
+			var formatter = AssociationDataBag.CreateFormatter(this.Secret);
+			return formatter.Serialize(associationDataBag);
+		}
+
+		/// <summary>
+		/// Retrieves an association given an association handle.
+		/// </summary>
+		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
+		/// <param name="isPrivateAssociation">A value indicating whether a private association is expected.</param>
+		/// <param name="handle">The association handle.</param>
+		/// <returns>
+		/// An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).
+		/// </returns>
+		/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
+		public Association Deserialize(IProtocolMessage containingMessage, bool isPrivateAssociation, string handle) {
+			var formatter = AssociationDataBag.CreateFormatter(this.Secret);
+			AssociationDataBag bag;
+			try {
+				bag = formatter.Deserialize(containingMessage, handle);
+			} catch (ProtocolException) {
+				return null;
+			}
+
+			ErrorUtilities.VerifyProtocol(bag.IsPrivateAssociation == isPrivateAssociation, "Unexpected association type.");
+			Association assoc = Association.Deserialize(handle, bag.ExpiresUtc, bag.Secret);
+			return assoc.IsExpired ? null : assoc;
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationStore.cs b/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationStore.cs
deleted file mode 100644
index be4d01c..0000000
--- a/src/DotNetOpenAuth/OpenId/Provider/ProviderAssociationStore.cs
+++ /dev/null
@@ -1,75 +0,0 @@
-//-----------------------------------------------------------------------
-// <copyright file="ProviderAssociationStore.cs" company="Andrew Arnott">
-//     Copyright (c) Andrew Arnott. All rights reserved.
-// </copyright>
-//-----------------------------------------------------------------------
-
-namespace DotNetOpenAuth.OpenId.Provider {
-	using DotNetOpenAuth.Messaging;
-
-	/// <summary>
-	/// The OpenID Provider association serializer, used to encode/decode association handles.
-	/// </summary>
-	internal class ProviderAssociationStore {
-		/// <summary>
-		/// Initializes a new instance of the <see cref="ProviderAssociationStore"/> class.
-		/// </summary>
-		internal ProviderAssociationStore() {
-			this.Secret = MessagingUtilities.GetCryptoRandomData(16);
-		}
-
-		/// <summary>
-		/// Gets or sets the symmetric secret this Provider uses for protecting messages to itself.
-		/// </summary>
-		internal byte[] Secret { get; set; }
-
-		/// <summary>
-		/// Encodes the specified association data bag.
-		/// </summary>
-		/// <param name="associationDataBag">The association data bag.</param>
-		/// <returns>The association handle that represents this association.</returns>
-		internal string Encode(AssociationDataBag associationDataBag) {
-			var formatter = AssociationDataBag.CreateFormatter(this.Secret);
-			return formatter.Serialize(associationDataBag);
-		}
-
-		/// <summary>
-		/// Retrieves an association given an association handle.
-		/// </summary>
-		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
-		/// <param name="associationType">The expected type of the retrieved association.</param>
-		/// <param name="handle">The association handle.</param>
-		/// <returns>An association instance, or <c>null</c> if the association has expired or the signature is incorrect (which may be because the OP's symmetric key has changed).</returns>
-		/// <exception cref="ProtocolException">Thrown if the association is not of the expected type.</exception>
-		internal Association Decode(IProtocolMessage containingMessage, AssociationRelyingPartyType associationType, string handle) {
-			var formatter = AssociationDataBag.CreateFormatter(this.Secret);
-			AssociationDataBag bag;
-			try {
-				bag = formatter.Deserialize(containingMessage, handle);
-			} catch (ProtocolException) {
-				return null;
-			}
-
-			ErrorUtilities.VerifyProtocol(bag.AssociationType == associationType, "Unexpected association type.");
-			Association assoc = Association.Deserialize(handle, bag.ExpiresUtc, bag.Secret);
-			return assoc.IsExpired ? null : assoc;
-		}
-
-		/// <summary>
-		/// Determines whether the association with the specified handle is (still) valid.
-		/// </summary>
-		/// <param name="containingMessage">The OpenID message that referenced this association handle.</param>
-		/// <param name="associationType">The expected type of the retrieved association.</param>
-		/// <param name="handle">The association handle.</param>
-		/// <returns>
-		///   <c>true</c> if the specified containing message is valid; otherwise, <c>false</c>.
-		/// </returns>
-		internal bool IsValid(IProtocolMessage containingMessage, AssociationRelyingPartyType associationType, string handle) {
-			try {
-				return this.Decode(containingMessage, associationType, handle) != null;
-			} catch (ProtocolException) {
-				return false;
-			}
-		}
-	}
-}
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
index 90a6228..9a43506 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationManager.cs
@@ -23,7 +23,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <summary>
 		/// The storage to use for saving and retrieving associations.  May be null.
 		/// </summary>
-		private readonly IAssociationStore associationStore;
+		private readonly IRelyingPartyAssociationStore associationStore;
 
 		/// <summary>
 		/// Backing field for the <see cref="Channel"/> property.
@@ -41,7 +41,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <param name="channel">The channel the relying party is using.</param>
 		/// <param name="associationStore">The association store.  May be null for dumb mode relying parties.</param>
 		/// <param name="securitySettings">The security settings.</param>
-		internal AssociationManager(Channel channel, IAssociationStore associationStore, RelyingPartySecuritySettings securitySettings) {
+		internal AssociationManager(Channel channel, IRelyingPartyAssociationStore associationStore, RelyingPartySecuritySettings securitySettings) {
 			Contract.Requires<ArgumentNullException>(channel != null);
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 
@@ -93,7 +93,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <summary>
 		/// Gets the storage to use for saving and retrieving associations.  May be null.
 		/// </summary>
-		internal IAssociationStore AssociationStoreTestHook {
+		internal IRelyingPartyAssociationStore AssociationStoreTestHook {
 			get { return this.associationStore; }
 		}
 
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationMemoryStore.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationMemoryStore.cs
index 1dc8126..67dbdd4 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationMemoryStore.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/AssociationMemoryStore.cs
@@ -15,10 +15,10 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	/// <remarks>
 	/// This class should be used for low-to-medium traffic relying party sites that can afford to lose associations
 	/// if the app pool was ever restarted.  High traffic relying parties and providers should write their own
-	/// implementation of <see cref="IAssociationStore"/> that works against their own database schema
+	/// implementation of <see cref="IRelyingPartyAssociationStore"/> that works against their own database schema
 	/// to allow for persistance and recall of associations across servers in a web farm and server restarts.
 	/// </remarks>
-	internal class AssociationMemoryStore : IAssociationStore {
+	internal class AssociationMemoryStore : IRelyingPartyAssociationStore {
 		/// <summary>
 		/// How many association store requests should occur between each spring cleaning.
 		/// </summary>
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs
index be06a23..5293876 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs
@@ -212,7 +212,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// small to ensure successful authentication.  About 1.5KB is about all that should be stored.</para>
 		/// </remarks>
 		public void AddCallbackArguments(IDictionary<string, string> arguments) {
-			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
+			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IRelyingPartyAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
 
 			this.returnToArgsMustBeSigned = true;
 			foreach (var pair in arguments) {
@@ -239,7 +239,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// small to ensure successful authentication.  About 1.5KB is about all that should be stored.</para>
 		/// </remarks>
 		public void AddCallbackArguments(string key, string value) {
-			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
+			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IRelyingPartyAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
 
 			this.returnToArgsMustBeSigned = true;
 			this.returnToArgs.Add(key, value);
@@ -260,7 +260,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// small to ensure successful authentication.  About 1.5KB is about all that should be stored.</para>
 		/// </remarks>
 		public void SetCallbackArgument(string key, string value) {
-			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
+			ErrorUtilities.VerifyOperation(this.RelyingParty.CanSignCallbackArguments, OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IRelyingPartyAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
 
 			this.returnToArgsMustBeSigned = true;
 			this.returnToArgs[key] = value;
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyApplicationStore.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyApplicationStore.cs
index 519dae8..0c80c0f 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyApplicationStore.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyApplicationStore.cs
@@ -16,6 +16,6 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	/// A hybrid of all the store interfaces that a Relying Party requires in order
 	/// to operate in "smart" mode.
 	/// </summary>
-	public interface IRelyingPartyApplicationStore : IAssociationStore, INonceStore {
+	public interface IRelyingPartyApplicationStore : IRelyingPartyAssociationStore, INonceStore {
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/IAssociationStore.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyAssociationStore.cs
index 695aa66..264d198 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/IAssociationStore.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/IRelyingPartyAssociationStore.cs
@@ -1,5 +1,5 @@
 //-----------------------------------------------------------------------
-// <copyright file="IAssociationStore.cs" company="Andrew Arnott">
+// <copyright file="IRelyingPartyAssociationStore.cs" company="Andrew Arnott">
 //     Copyright (c) Andrew Arnott. All rights reserved.
 // </copyright>
 //-----------------------------------------------------------------------
@@ -19,8 +19,8 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	/// to not be a performance drain.  Because this balance can vary by host, it is the
 	/// responsibility of the host to initiate this cleaning.
 	/// </remarks>
-	[ContractClass(typeof(IAssociationStoreContract))]
-	public interface IAssociationStore {
+	[ContractClass(typeof(IRelyingPartyAssociationStoreContract))]
+	public interface IRelyingPartyAssociationStore {
 		/// <summary>
 		/// Saves an <see cref="Association"/> for later recall.
 		/// </summary>
@@ -70,10 +70,10 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 	}
 
 	/// <summary>
-	/// Code Contract for the <see cref="IAssociationStore"/> class.
+	/// Code Contract for the <see cref="IRelyingPartyAssociationStore"/> class.
 	/// </summary>
-	[ContractClassFor(typeof(IAssociationStore))]
-	internal abstract class IAssociationStoreContract : IAssociationStore {
+	[ContractClassFor(typeof(IRelyingPartyAssociationStore))]
+	internal abstract class IRelyingPartyAssociationStoreContract : IRelyingPartyAssociationStore {
 		#region IAssociationStore Members
 
 		/// <summary>
@@ -84,7 +84,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <remarks>
 		/// TODO: what should implementations do on association handle conflict?
 		/// </remarks>
-		void IAssociationStore.StoreAssociation(Uri providerEndpoint, Association association) {
+		void IRelyingPartyAssociationStore.StoreAssociation(Uri providerEndpoint, Association association) {
 			Contract.Requires<ArgumentNullException>(providerEndpoint != null);
 			Contract.Requires<ArgumentNullException>(association != null);
 			throw new NotImplementedException();
@@ -107,7 +107,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// Associations that are returned that do not meet the security requirements will be
 		/// ignored and a new association created.
 		/// </remarks>
-		Association IAssociationStore.GetAssociation(Uri providerEndpoint, SecuritySettings securityRequirements) {
+		Association IRelyingPartyAssociationStore.GetAssociation(Uri providerEndpoint, SecuritySettings securityRequirements) {
 			Contract.Requires<ArgumentNullException>(providerEndpoint != null);
 			Contract.Requires<ArgumentNullException>(securityRequirements != null);
 			throw new NotImplementedException();
@@ -121,7 +121,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <returns>
 		/// The requested association, or null if no unexpired <see cref="Association"/>s exist for the given key and handle.
 		/// </returns>
-		Association IAssociationStore.GetAssociation(Uri providerEndpoint, string handle) {
+		Association IRelyingPartyAssociationStore.GetAssociation(Uri providerEndpoint, string handle) {
 			Contract.Requires<ArgumentNullException>(providerEndpoint != null);
 			Contract.Requires(!String.IsNullOrEmpty(handle));
 			throw new NotImplementedException();
@@ -139,7 +139,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// No exception should be thrown if the association does not exist in the store
 		/// before this call.
 		/// </remarks>
-		bool IAssociationStore.RemoveAssociation(Uri providerEndpoint, string handle) {
+		bool IRelyingPartyAssociationStore.RemoveAssociation(Uri providerEndpoint, string handle) {
 			Contract.Requires<ArgumentNullException>(providerEndpoint != null);
 			Contract.Requires(!String.IsNullOrEmpty(handle));
 			throw new NotImplementedException();
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
index 02c821f..cf82cf3 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingParty.cs
@@ -110,7 +110,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <param name="associationStore">The association store.  If null, the relying party will always operate in "dumb mode".</param>
 		/// <param name="nonceStore">The nonce store to use.  If null, the relying party will always operate in "dumb mode".</param>
 		[SuppressMessage("Microsoft.Maintainability", "CA1506:AvoidExcessiveClassCoupling", Justification = "Unavoidable")]
-		private OpenIdRelyingParty(IAssociationStore associationStore, INonceStore nonceStore) {
+		private OpenIdRelyingParty(IRelyingPartyAssociationStore associationStore, INonceStore nonceStore) {
 			// If we are a smart-mode RP (supporting associations), then we MUST also be 
 			// capable of storing nonces to prevent replay attacks.
 			// If we're a dumb-mode RP, then 2.0 OPs are responsible for preventing replays.
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAnonymousResponse.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAnonymousResponse.cs
index fb1970c..fc334b0 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAnonymousResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAnonymousResponse.cs
@@ -174,7 +174,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			if (this.response.ReturnToParametersSignatureValidated) {
 				return this.GetUntrustedCallbackArgument(key);
 			} else {
-				Logger.OpenId.WarnFormat(OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
+				Logger.OpenId.WarnFormat(OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IRelyingPartyAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
 				return null;
 			}
 		}
@@ -214,7 +214,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			if (this.response.ReturnToParametersSignatureValidated) {
 				return this.GetUntrustedCallbackArguments();
 			} else {
-				Logger.OpenId.WarnFormat(OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
+				Logger.OpenId.WarnFormat(OpenIdStrings.CallbackArgumentsRequireSecretStore, typeof(IRelyingPartyAssociationStore).Name, typeof(OpenIdRelyingParty).Name);
 				return EmptyDictionary<string, string>.Instance;
 			}
 		}
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/PrivateSecretManager.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/PrivateSecretManager.cs
index dfd8f5d..6472fa4 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/PrivateSecretManager.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/PrivateSecretManager.cs
@@ -36,14 +36,14 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <summary>
 		/// The association store
 		/// </summary>
-		private IAssociationStore store;
+		private IRelyingPartyAssociationStore store;
 
 		/// <summary>
 		/// Initializes a new instance of the <see cref="PrivateSecretManager"/> class.
 		/// </summary>
 		/// <param name="securitySettings">The security settings.</param>
 		/// <param name="store">The association store.</param>
-		internal PrivateSecretManager(RelyingPartySecuritySettings securitySettings, IAssociationStore store) {
+		internal PrivateSecretManager(RelyingPartySecuritySettings securitySettings, IRelyingPartyAssociationStore store) {
 			Contract.Requires<ArgumentNullException>(securitySettings != null);
 			Contract.Requires<ArgumentNullException>(store != null);
 
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/StandardRelyingPartyApplicationStore.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/StandardRelyingPartyApplicationStore.cs
index 3e15f6a..5fd4be9 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/StandardRelyingPartyApplicationStore.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/StandardRelyingPartyApplicationStore.cs
@@ -23,7 +23,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// <summary>
 		/// The association store to use.
 		/// </summary>
-		private readonly IAssociationStore associationStore;
+		private readonly IRelyingPartyAssociationStore associationStore;
 
 		/// <summary>
 		/// Initializes a new instance of the <see cref="StandardRelyingPartyApplicationStore"/> class.