On 22-Jun-07, at 9:46 AM, Recordon, David wrote:
> So please, check it out and let me know what you think...especially
> around the questions in the Editorial Comments section at the end.

Here are the issues that came up while I implemented PAPE in  

5.1 Request Parameters

- Is preferred_auth_policies REQUIRED? Assume yes, but not clearly  
spelled out.

- "the OP MUST authenticate the End User for this request."

What if the OP / user don't want to re-authenticate, and have reasons  
to continue their session with the previous / old auth? (For example  
user changed his mind at the OP about buying the book from amazon,  
and declines the OP's request to re-authenticate).

- "The OP should realize that not adhering to the request for re- 
authentication..." implies there is an alternative to the above  
(other than breaking the protocol). Maybe the MUST above should be a  

- (max_)auth_age is defined as "numeric". Is there value for allowing  
floating-point numbers here? Would be simpler to be an integer.

5.2 Response Parameters

- auth_age: What should the value be if the OP did not actively  
authenticate the user for the current session? Suggesting "unknown"  
as a special value for this.

- auth_age: Since the message may spend a (not-insignificant) time  
after it's created (by the library)
        before it's put on the wire
        on the wire
        while it's being processed by the RP
a timestamp value may be better suited here (rename it to auth_time  
maybe?). This way the RP will be able to determine the auth_age at  
any time (e.g. when it actually needs to perform the sensitive  
operation). Could use the formating used for nonces (from RFC3339).

- nist_auth_level: "Numeric value" - probably was meant as integer  


specs mailing list

Reply via email to