On 2-Oct-06, at 11:51 AM, Kevin Turner wrote:

> On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
> [...]
>> then some/most IdPs just won't bother. [...]
>> a completely uncheckable assumption and is therefore broken by  
>> design.
>> The best we can do is make it a MAY (that is, max_age is a  
>> *suggestion*
>> from the RP) and hope that most IdPs do the right thing; we shouldn't
>> write the spec in a way that misleads RP implementers into thinking
>> they've actually got any real control here.
> What he said.
> I'd suggest drafting this feature as an extension.  I know that  
> weakens
> it, but as Martin says, you can't count on it being there in any case,
> so I think an optional extension is a much more straightforward way of
> representing when this functionality is actually available.

I still think this should be in the auth spec and not an extension.

An IdP will already be doing some type of session age management, and  
what we want is for the RP to indicate to the IdP what session age is  
acceptable for what it is doing with the user.

David asked about LJ and should it expire the LJ session. If that is  
how LJ is determining wether to AuthN me while acting as an IdP, then  

Many apps have different levels of session age, and I think the lack  
of this feature will hinder adoption by many sites.

I find the argument that IdPs will just return success all the time  
to be baseless. A good IdP will do what it thinks is best for its  
users. A bad IdP will not have any users for any period of time.  
Given the portability of URLs, being an IdP is competitive, and  
people will move to the one that best suits them. If that means some  
IdPs just return success *and* that is what users want, then so be  
it. The feature is there for all the other users and IdPs that want it.

For example, I am a little dismayed that myopenid.com has not timed  
out my session for quite a while, which means that anyone walking up  
to my machine can login to any of my OpenID sites. Not an issue now,  
but if we want serious websites to take OpenID seriously, we need to  
put the right features in. </rant>
specs mailing list

Reply via email to