Re: [OT] our cookie expiration

[Dick Hardt]

On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote:

> On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> [...] I would want the site to prompt for a password if I was  
>> doing something
>> important. The only way for the IdP to know that is for the RP to
>> tell it somehow -> auth_age request.
>
> This is only useful in conjunction with signed requests. A malicious
> 3rd party could easily remove whatever parameter(s) in the request
> that made the IdP prompt for the password. If the request is not
> signed, it's a false sense of security at best.

Not true. The malicious 3rd party can modify the request, but not the  
response.

The response would contain the auth_age parameter as well, so the RP  
would know if the IdP was claiming to have performed the request.

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: [OT] our cookie expiration

[Josh Hoyt]

On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> [...] I would want the site to prompt for a password if I was doing something
> important. The only way for the IdP to know that is for the RP to
> tell it somehow -> auth_age request.

This is only useful in conjunction with signed requests. A malicious
3rd party could easily remove whatever parameter(s) in the request
that made the IdP prompt for the password. If the request is not
signed, it's a false sense of security at best.

Josh
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: [OT] our cookie expiration

[Dick Hardt]

On 4-Oct-06, at 2:20 PM, Kevin Turner wrote:

> On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote:
>> it's been my experience that users are willing to trade an awful  
>> lot of
>> security to avoid software nagging at them repeatedly.
>
> Which goes back to what Dick was saying about his myopenid.com login
> cookie not expiring.  Users didn't like logging in after every time
> their browser restarted, so we made the cookie persistent.

Which I want to have happen for my OpenID transactions today, but I  
would want the site to prompt for a password if I was doing something  
important. The only way for the IdP to know that is for the RP to  
tell it somehow -> auth_age request.

>
> Does that make us a "BadCitizen-IdP"?  I don't believe it does.
> Expiring cookies sooner seems beneficial for a particular group of
> users, those who are:
>
> 1) cautious enough to not leave their myopenid.com password in their
> browser's password cache, and
> 2) careless enough to leave their desktops unlocked when unattended.

I only fall into category (2), but would like to get prompted when it  
is important per above.

> The combination of those two contrasting qualities seems likely to  
> be a
> small subset of our user base.  We hoped the remaining users who  
> really
> wanted to not have old login cookies laying around would avail
> themselves of the "sign off" button.

Signing off from myopenid.com is not readily available in my user- 
experience.
Curious how you expect the user to goto the IdP to logout?

-- Dick
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs