On 4-Oct-06, at 2:20 PM, Kevin Turner wrote:

> On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote:
>> it's been my experience that users are willing to trade an awful  
>> lot of
>> security to avoid software nagging at them repeatedly.
> Which goes back to what Dick was saying about his myopenid.com login
> cookie not expiring.  Users didn't like logging in after every time
> their browser restarted, so we made the cookie persistent.

Which I want to have happen for my OpenID transactions today, but I  
would want the site to prompt for a password if I was doing something  
important. The only way for the IdP to know that is for the RP to  
tell it somehow -> auth_age request.

> Does that make us a "BadCitizen-IdP"?  I don't believe it does.
> Expiring cookies sooner seems beneficial for a particular group of
> users, those who are:
> 1) cautious enough to not leave their myopenid.com password in their
> browser's password cache, and
> 2) careless enough to leave their desktops unlocked when unattended.

I only fall into category (2), but would like to get prompted when it  
is important per above.

> The combination of those two contrasting qualities seems likely to  
> be a
> small subset of our user base.  We hoped the remaining users who  
> really
> wanted to not have old login cookies laying around would avail
> themselves of the "sign off" button.

Signing off from myopenid.com is not readily available in my user- 
Curious how you expect the user to goto the IdP to logout?

-- Dick
specs mailing list

Reply via email to