Recordon, David wrote:
> No, IdP MUST perform and RP MAY include.

IdP implementations that are embedded into some other app might have 
trouble implementing this. Take LiveJournal, for example: what should it 
do in the case where it has to re-authenticate? End the user's LJ 
session and force them to log in again? Duplicate the login code in the 
OpenID server code?

Aside from that qualm, this is another one of those things where it's 
pointless to make it a MUST since IdPs that don't implement it aren't 
going to get punished in any way. If IdPs can get away without doing it, 
and RPs can't tell that they have, then some/most IdPs just won't 
bother. Sure, it reduces the usefulness of this feature, but this 
feature is riding on a completely uncheckable assumption and is 
therefore broken by design.

The best we can do is make it a MAY (that is, max_age is a *suggestion* 
from the RP) and hope that most IdPs do the right thing; we shouldn't 
write the spec in a way that misleads RP implementers into thinking 
they've actually got any real control here.

specs mailing list

Reply via email to