On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
> [...] I would want the site to prompt for a password if I was doing something
> important. The only way for the IdP to know that is for the RP to
> tell it somehow -> auth_age request.

This is only useful in conjunction with signed requests. A malicious
3rd party could easily remove whatever parameter(s) in the request
that made the IdP prompt for the password. If the request is not
signed, it's a false sense of security at best.

specs mailing list

Reply via email to