RE: [PROPOSAL] authentication age

2006-10-05 Thread Recordon, David
Kevin Turner Cc: specs@openid.net Subject: Re: [PROPOSAL] authentication age Kevin, thanks for the well articulated argument. I do see this as something that is completely within the End Users control, and if the End User chose to ignore it, then that is their choice. The use case is that for conv

Re: [PROPOSAL] authentication age

2006-10-05 Thread Dick Hardt
Kevin, thanks for the well articulated argument. I do see this as something that is completely within the End Users control, and if the End User chose to ignore it, then that is their choice. The use case is that for convenience, a site wants to let the user do certain functions without hav

Re: [PROPOSAL] authentication age

2006-10-04 Thread Kevin Turner
Pretty much the *only* relationship that exists between the RP and the IdP is that the authentication method is trustworthy because the user has decided it is. I believe this proposal places additional demands on that, and that those are demands that the protocol cannot fully support. When you as

Re: [PROPOSAL] authentication age

2006-10-04 Thread Martin Atkins
Dick Hardt wrote: > I find the argument that IdPs will just return success all the time > to be baseless. A good IdP will do what it thinks is best for its > users. A bad IdP will not have any users for any period of time. I suppose it depends on what you consider to be "bad". Consider this:

Re: [PROPOSAL] authentication age

2006-10-03 Thread Dick Hardt
On 2-Oct-06, at 11:51 AM, Kevin Turner wrote: > On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote: > [...] >> then some/most IdPs just won't bother. [...] >> a completely uncheckable assumption and is therefore broken by >> design. >> >> The best we can do is make it a MAY (that is, max_ag

RE: [PROPOSAL] authentication age

2006-10-02 Thread Kevin Turner
On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote: > It could be augmented to also contain a response parameter telling the > RP if the IdP acknowledged it, then the RP could make the decision if > it wants to proceed. You will want that response parameter. Otherwise, couldn't I (as the a

RE: [PROPOSAL] authentication age

2006-10-02 Thread Recordon, David
[mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt Sent: Monday, October 02, 2006 9:33 AM To: Martin Atkins Cc: specs@openid.net Subject: Re: [PROPOSAL] authentication age On 2-Oct-06, at 2:48 AM, Martin Atkins wrote: > Recordon, David wrote: >> That was going to be my exact follow-up t

Re: [PROPOSAL] authentication age

2006-10-02 Thread Dick Hardt
On 2-Oct-06, at 2:48 AM, Martin Atkins wrote: > Recordon, David wrote: >> That was going to be my exact follow-up to my own message, though got >> distracted. What I phrased was how Dick described it. >> >> I like the feature, though agree that many IdPs may be unable to >> implement it due to h

RE: [PROPOSAL] authentication age

2006-10-02 Thread Recordon, David
Also means from a Yadis file is easy for an IdP to advertise the extension or not. --David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Turner Sent: Monday, October 02, 2006 11:52 AM To: specs@openid.net Subject: Re: [PROPOSAL] authentication

Re: [PROPOSAL] authentication age

2006-10-02 Thread Kevin Turner
On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote: [...] > then some/most IdPs just won't bother. [...] > a completely uncheckable assumption and is therefore broken by design. > > The best we can do is make it a MAY (that is, max_age is a *suggestion* > from the RP) and hope that most IdPs d

Re: [PROPOSAL] authentication age

2006-10-02 Thread Martin Atkins
Recordon, David wrote: > That was going to be my exact follow-up to my own message, though got > distracted. What I phrased was how Dick described it. > > I like the feature, though agree that many IdPs may be unable to > implement it due to how they do session handling. It could be augmented

RE: [PROPOSAL] authentication age

2006-10-01 Thread Recordon, David
Title: RE: [PROPOSAL] authentication age That was going to be my exact follow-up to my own message, though got distracted.  What I phrased was how Dick described it. I like the feature, though agree that many IdPs may be unable to implement it due to how they do session handling.  It could

Re: [PROPOSAL] authentication age

2006-10-01 Thread Martin Atkins
Recordon, David wrote: > No, IdP MUST perform and RP MAY include. > IdP implementations that are embedded into some other app might have trouble implementing this. Take LiveJournal, for example: what should it do in the case where it has to re-authenticate? End the user's LJ session and force

RE: [PROPOSAL] authentication age

2006-10-01 Thread Recordon, David
Title: RE: [PROPOSAL] authentication age No, IdP MUST perform and RP MAY include. --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED]] Sent: Sun 10/1/2006 7:52 AM To: Recordon, David Cc: specs@openid.net Subject: Re: [PROPOSAL] authentication age Better wording

Re: [PROPOSAL] authentication age

2006-10-01 Thread Dick Hardt
Better wording, thanks. I was thinking the IdP MUST perform per the parameter. The RP MAY include it, so it is an optional parameter in the request. Are you suggesting the RP MUST include it? -- Dick On 1-Oct-06, at 3:33 AM, Recordon, David wrote: > I like this, though think minutes would be

RE: [PROPOSAL] authentication age

2006-10-01 Thread Recordon, David
Title: RE: [PROPOSAL] authentication age I like this, though think minutes would be granular enough.  Just to clarify, since it took me reading it a few times... Add an optional request parameter openid.auth_age which is a positive integer.  This parameter allows the relying party to