Re: [OT] our cookie expiration
On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote: > On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> [...] I would want the site to prompt for a password if I was >> doing something >> important. The only way for the IdP to know that is for the RP to >> tell it somehow -> auth_age request. > > This is only useful in conjunction with signed requests. A malicious > 3rd party could easily remove whatever parameter(s) in the request > that made the IdP prompt for the password. If the request is not > signed, it's a false sense of security at best. Not true. The malicious 3rd party can modify the request, but not the response. The response would contain the auth_age parameter as well, so the RP would know if the IdP was claiming to have performed the request. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OT] our cookie expiration
On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote: > [...] I would want the site to prompt for a password if I was doing something > important. The only way for the IdP to know that is for the RP to > tell it somehow -> auth_age request. This is only useful in conjunction with signed requests. A malicious 3rd party could easily remove whatever parameter(s) in the request that made the IdP prompt for the password. If the request is not signed, it's a false sense of security at best. Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OT] our cookie expiration
On 4-Oct-06, at 2:20 PM, Kevin Turner wrote: > On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote: >> it's been my experience that users are willing to trade an awful >> lot of >> security to avoid software nagging at them repeatedly. > > Which goes back to what Dick was saying about his myopenid.com login > cookie not expiring. Users didn't like logging in after every time > their browser restarted, so we made the cookie persistent. Which I want to have happen for my OpenID transactions today, but I would want the site to prompt for a password if I was doing something important. The only way for the IdP to know that is for the RP to tell it somehow -> auth_age request. > > Does that make us a "BadCitizen-IdP"? I don't believe it does. > Expiring cookies sooner seems beneficial for a particular group of > users, those who are: > > 1) cautious enough to not leave their myopenid.com password in their > browser's password cache, and > 2) careless enough to leave their desktops unlocked when unattended. I only fall into category (2), but would like to get prompted when it is important per above. > The combination of those two contrasting qualities seems likely to > be a > small subset of our user base. We hoped the remaining users who > really > wanted to not have old login cookies laying around would avail > themselves of the "sign off" button. Signing off from myopenid.com is not readily available in my user- experience. Curious how you expect the user to goto the IdP to logout? -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
[OT] our cookie expiration
On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote: > it's been my experience that users are willing to trade an awful lot of > security to avoid software nagging at them repeatedly. Which goes back to what Dick was saying about his myopenid.com login cookie not expiring. Users didn't like logging in after every time their browser restarted, so we made the cookie persistent. Does that make us a "BadCitizen-IdP"? I don't believe it does. Expiring cookies sooner seems beneficial for a particular group of users, those who are: 1) cautious enough to not leave their myopenid.com password in their browser's password cache, and 2) careless enough to leave their desktops unlocked when unattended. The combination of those two contrasting qualities seems likely to be a small subset of our user base. We hoped the remaining users who really wanted to not have old login cookies laying around would avail themselves of the "sign off" button. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs