Kevin Turner
Cc: specs@openid.net
Subject: Re: [PROPOSAL] authentication age
Kevin, thanks for the well articulated argument.
I do see this as something that is completely within the End Users
control, and if the End User chose to ignore it, then that is their
choice.
The use case is that for conv
Kevin, thanks for the well articulated argument.
I do see this as something that is completely within the End Users
control, and if the End User chose to ignore it, then that is their
choice.
The use case is that for convenience, a site wants to let the user do
certain functions without hav
Pretty much the *only* relationship that exists between the RP and the
IdP is that the authentication method is trustworthy because the user
has decided it is. I believe this proposal places additional demands on
that, and that those are demands that the protocol cannot fully support.
When you as
Dick Hardt wrote:
> I find the argument that IdPs will just return success all the time
> to be baseless. A good IdP will do what it thinks is best for its
> users. A bad IdP will not have any users for any period of time.
I suppose it depends on what you consider to be "bad". Consider this:
On 2-Oct-06, at 11:51 AM, Kevin Turner wrote:
> On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
> [...]
>> then some/most IdPs just won't bother. [...]
>> a completely uncheckable assumption and is therefore broken by
>> design.
>>
>> The best we can do is make it a MAY (that is, max_ag
On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote:
> It could be augmented to also contain a response parameter telling the
> RP if the IdP acknowledged it, then the RP could make the decision if
> it wants to proceed.
You will want that response parameter. Otherwise, couldn't I (as the
a
[mailto:[EMAIL PROTECTED] On
Behalf Of Dick Hardt
Sent: Monday, October 02, 2006 9:33 AM
To: Martin Atkins
Cc: specs@openid.net
Subject: Re: [PROPOSAL] authentication age
On 2-Oct-06, at 2:48 AM, Martin Atkins wrote:
> Recordon, David wrote:
>> That was going to be my exact follow-up t
On 2-Oct-06, at 2:48 AM, Martin Atkins wrote:
> Recordon, David wrote:
>> That was going to be my exact follow-up to my own message, though got
>> distracted. What I phrased was how Dick described it.
>>
>> I like the feature, though agree that many IdPs may be unable to
>> implement it due to h
Also means from a Yadis file is easy for an IdP to advertise the
extension or not.
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Kevin Turner
Sent: Monday, October 02, 2006 11:52 AM
To: specs@openid.net
Subject: Re: [PROPOSAL] authentication
On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
[...]
> then some/most IdPs just won't bother. [...]
> a completely uncheckable assumption and is therefore broken by design.
>
> The best we can do is make it a MAY (that is, max_age is a *suggestion*
> from the RP) and hope that most IdPs d
Recordon, David wrote:
> That was going to be my exact follow-up to my own message, though got
> distracted. What I phrased was how Dick described it.
>
> I like the feature, though agree that many IdPs may be unable to
> implement it due to how they do session handling. It could be augmented
Title: RE: [PROPOSAL] authentication age
That was going to be my exact follow-up to my own message, though got distracted. What I phrased was how Dick described it.
I like the feature, though agree that many IdPs may be unable to implement it due to how they do session handling. It could
Recordon, David wrote:
> No, IdP MUST perform and RP MAY include.
>
IdP implementations that are embedded into some other app might have
trouble implementing this. Take LiveJournal, for example: what should it
do in the case where it has to re-authenticate? End the user's LJ
session and force
Title: RE: [PROPOSAL] authentication age
No, IdP MUST perform and RP MAY include.
--David
-Original Message-
From: Dick Hardt [mailto:[EMAIL PROTECTED]]
Sent: Sun 10/1/2006 7:52 AM
To: Recordon, David
Cc: specs@openid.net
Subject: Re: [PROPOSAL] authentication age
Better wording
Better wording, thanks.
I was thinking the IdP MUST perform per the parameter. The RP MAY
include it, so it is an optional parameter in the request.
Are you suggesting the RP MUST include it?
-- Dick
On 1-Oct-06, at 3:33 AM, Recordon, David wrote:
> I like this, though think minutes would be
Title: RE: [PROPOSAL] authentication age
I like this, though think minutes would be granular enough. Just to clarify, since it took me reading it a few times...
Add an optional request parameter openid.auth_age which is a positive integer. This parameter allows the relying party to
16 matches
Mail list logo