# File lib/openid/server.rb, line 1040
      def sign(response)
        signed_response = response.copy
        assoc_handle = response.request.assoc_handle
        if assoc_handle
          # normal mode disabling expiration check because even if the
          # association is expired, we still need to know some
          # properties of the association so that we may preserve
          # those properties when creating the fallback association.
          assoc = get_association(assoc_handle, false, false)

          if !assoc or assoc.expires_in <= 0
            # fall back to dumb mode
            signed_response.fields.set_arg(
                  OPENID_NS, 'invalidate_handle', assoc_handle)
            assoc_type = assoc ? assoc.assoc_type : 'HMAC-SHA1'
            if assoc and assoc.expires_in <= 0
              # now do the clean-up that the disabled checkExpiration
              # code didn't get to do.
              invalidate(assoc_handle, false)
            end
            assoc = create_association(true, assoc_type)
          end
        else
          # dumb mode.
          assoc = create_association(true)
        end

        begin
          signed_response.fields = assoc.sign_message(signed_response.fields)
        rescue KVFormError => err
          raise EncodingError, err
        end
        return signed_response
      end