On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote:

> It could be augmented to also contain a response parameter telling the
> RP if the IdP acknowledged it, then the RP could make the decision if
> it wants to proceed.

You will want that response parameter.  Otherwise, couldn't I (as the
attacker who has the user's IdP cookie) just drop the auth_age parameter
from the checkid request?

specs mailing list

Reply via email to