On 2-Oct-06, at 11:51 AM, Kevin Turner wrote: > On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote: > [...] >> then some/most IdPs just won't bother. [...] >> a completely uncheckable assumption and is therefore broken by >> design. >> >> The best we can do is make it a MAY (that is, max_age is a >> *suggestion* >> from the RP) and hope that most IdPs do the right thing; we shouldn't >> write the spec in a way that misleads RP implementers into thinking >> they've actually got any real control here. > > What he said. > > I'd suggest drafting this feature as an extension. I know that > weakens > it, but as Martin says, you can't count on it being there in any case, > so I think an optional extension is a much more straightforward way of > representing when this functionality is actually available.
I still think this should be in the auth spec and not an extension. An IdP will already be doing some type of session age management, and what we want is for the RP to indicate to the IdP what session age is acceptable for what it is doing with the user. David asked about LJ and should it expire the LJ session. If that is how LJ is determining wether to AuthN me while acting as an IdP, then perhaps. Many apps have different levels of session age, and I think the lack of this feature will hinder adoption by many sites. <rant> I find the argument that IdPs will just return success all the time to be baseless. A good IdP will do what it thinks is best for its users. A bad IdP will not have any users for any period of time. Given the portability of URLs, being an IdP is competitive, and people will move to the one that best suits them. If that means some IdPs just return success *and* that is what users want, then so be it. The feature is there for all the other users and IdPs that want it. For example, I am a little dismayed that myopenid.com has not timed out my session for quite a while, which means that anyone walking up to my machine can login to any of my OpenID sites. Not an issue now, but if we want serious websites to take OpenID seriously, we need to put the right features in. </rant> _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs