That is why auth_age MUST be returned as a signed parameter in the
response.
That is the only way the RP has any idea the OP saw the request.
I happen to agree about signed requests but lets not boil the ocean on
this one.
John B.
On 1-Jul-09, at 2:11 AM, Nate Klingenstein wrote:
Dick,
I am suggesting changing the spec for the privacy reasons you
stated. The RP does not need to know when the last auth was, just
that it met the RP's policy.
How can this be done if the request isn't signed? Can't a user
presenting the request change the max_auth_age to whatever it wants,
or omit it entirely? "Yes, I met your requirement" doesn't mean
much if the requirement itself can be trivially changed by the
client and the RP has no indication this occurred.
Confused,
Nate.
_______________________________________________
specs-pape mailing list
[email protected]
http://openid.net/mailman/listinfo/specs-pape
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
