Just food for thought some day... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evan Prodromou Sent: Monday, June 11, 2007 5:31 AM To: openid-general Subject: Re: [OpenID] Recycling OpenIDs
On Sat, 2007-09-06 at 09:47 -0400, Evan Prodromou wrote: > If relying parties require some high level of authentication, we have > ways to specify that. I think I should have been more specific here: the best way to solve the ID lifetime problem is to add a parameter to AQE that lets the OP specify the expected lifetime of the identifier. enroll.lifetime - integer, time in days that the OP expects the identifier to identify the current principal. Some sample values: * 0: the identifier could belong to a different principal at any time. For example, anonymous OPs or OPs where users can manually change their own identifiers to any unused value at will. * Session: the identifier will belong to the current principal for the duration of the principal's browser session. * 730: the OP recycles identifiers if they haven't been used in 2 years. * Inf: the OP's policy is that the identifier will be used for only one principal. "Infinity" is an ideal expectation, subject to the lifetime of the OP, of the OpenID protocol, of the Internet, and of the universe. More immediately, there may be changes to the policy in the future. Note that there is no way to specify non-zero lifetimes shorter than one day, and that the special non-integer strings "Session" and "Inf" are acceptable values. I'm actually not sure how to implement an OP that would use "Session" -- possibly with a browser plugin? -- but I included it for completeness. -Evan -- Evan Prodromou <[EMAIL PROTECTED]> _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs