Dick,
I am suggesting changing the spec for the privacy reasons you stated. The RP does not need to know when the last auth was, just that it met the RP's policy.
How can this be done if the request isn't signed? Can't a user presenting the request change the max_auth_age to whatever it wants, or omit it entirely? "Yes, I met your requirement" doesn't mean much if the requirement itself can be trivially changed by the client and the RP has no indication this occurred.
Confused, Nate. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
