Clarification: auth_age allows an RP to specify how long it has been since the IdP has authenticated the user. The use case of this is for sites that have different auth_age requirements for different sections of the site. For example, amazon.com lets me browse around the site with an fairly old auth_age, but when I go to purchase, amazon wants to make sure it is still me, and asks me for my password again.
With OpenID, the IdP is prompting the user for their password on behalf of the RP, so in order for amazon to have the same functionality with OpenID, amazon needs to be able to differentiate between an authn request that with a long auth_age and one with a zero auth_age. Note that this is only a request from the RP. It is not a security requirement. I can have my browser autocomplete my password at amazon.com, so prompting me for my password again when I checkout provides no assurance it is still me at the browser, but it is *my* choice to do that, ie. the user's choice on how to deal with the prompt. Amazon is giving me the choice to have higher security on checkout then on browsing the site. In other words, Amazon is giving the IdP context about the authn request. This is similar to the RP stating that a field in a form is required. There is nothing that forces the user to type anything in, it is a request. This is different then an RP requesting strong authentication. This is a security request, and the RP must trust whoever is making the claim that strong authentication was performed. Auth spec vs Extension Although this functionality could be in an extension, it seems too be a lot of overhead for a single parameter. This is the AuthN spec after all, and auth_age is a parameter around what the IdP does wrt. AuthN. -- Dick _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
