David, On 22-Jun-07, at 9:46 AM, Recordon, David wrote: > So please, check it out and let me know what you think...especially > around the questions in the Editorial Comments section at the end.
Here are the issues that came up while I implemented PAPE in openid4java: 5.1 Request Parameters - Is preferred_auth_policies REQUIRED? Assume yes, but not clearly spelled out. - "the OP MUST authenticate the End User for this request." What if the OP / user don't want to re-authenticate, and have reasons to continue their session with the previous / old auth? (For example user changed his mind at the OP about buying the book from amazon, and declines the OP's request to re-authenticate). - "The OP should realize that not adhering to the request for re- authentication..." implies there is an alternative to the above (other than breaking the protocol). Maybe the MUST above should be a SHOULD? - (max_)auth_age is defined as "numeric". Is there value for allowing floating-point numbers here? Would be simpler to be an integer. 5.2 Response Parameters - auth_age: What should the value be if the OP did not actively authenticate the user for the current session? Suggesting "unknown" as a special value for this. - auth_age: Since the message may spend a (not-insignificant) time after it's created (by the library) before it's put on the wire on the wire while it's being processed by the RP a timestamp value may be better suited here (rename it to auth_time maybe?). This way the RP will be able to determine the auth_age at any time (e.g. when it actually needs to perform the sensitive operation). Could use the formating used for nonces (from RFC3339). - nist_auth_level: "Numeric value" - probably was meant as integer value. Thanks, Johnny _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs