On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote:

> On 10/8/06, Dick Hardt <[EMAIL PROTECTED]> wrote:
>> [...] I would want the site to prompt for a password if I was  
>> doing something
>> important. The only way for the IdP to know that is for the RP to
>> tell it somehow -> auth_age request.
> This is only useful in conjunction with signed requests. A malicious
> 3rd party could easily remove whatever parameter(s) in the request
> that made the IdP prompt for the password. If the request is not
> signed, it's a false sense of security at best.

Not true. The malicious 3rd party can modify the request, but not the  

The response would contain the auth_age parameter as well, so the RP  
would know if the IdP was claiming to have performed the request.

-- Dick
specs mailing list

Reply via email to