On Tue, Jun 30, 2009 at 11:11 PM, Nate Klingenstein <[email protected]>wrote:
> Dick, > > I am suggesting changing the spec for the privacy reasons you stated. The >> RP does not need to know when the last auth was, just that it met the RP's >> policy. >> > > How can this be done if the request isn't signed? Can't a user presenting > the request change the max_auth_age to whatever it wants, or omit it > entirely? "Yes, I met your requirement" doesn't mean much if the > requirement itself can be trivially changed by the client and the RP has no > indication this occurred. > Good catch. That's another argument for max_auth_age in the request merely being a hint, and auth_time in the response being the thing that matters. Dirk. > > Confused, > Nate. > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security >
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
