On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote: > On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote: >> [...] I would want the site to prompt for a password if I was >> doing something >> important. The only way for the IdP to know that is for the RP to >> tell it somehow -> auth_age request. > > This is only useful in conjunction with signed requests. A malicious > 3rd party could easily remove whatever parameter(s) in the request > that made the IdP prompt for the password. If the request is not > signed, it's a false sense of security at best.
Not true. The malicious 3rd party can modify the request, but not the response. The response would contain the auth_age parameter as well, so the RP would know if the IdP was claiming to have performed the request. -- Dick _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs