5.1 1) Clarified. 2 & 3) Changed the MUST to a SHOULD, since the intent was never to restrict what a user could do.
4) Changed to "Integer" 5.2 1) What is the use-case for this? As the parameter always describes the policies returned in pape_auth_policies, the Provider should always know how long ago the user authenticated within the session. 2) I'm fine with time coming back instead of number of seconds. 3) Changed to integer. Thanks, --David -----Original Message----- From: Johnny Bufu [mailto:[EMAIL PROTECTED] Sent: Thursday, June 28, 2007 7:31 PM To: Recordon, David Cc: specs@openid.net Subject: Re: OpenID Provider Authentication Policy Extension David, On 22-Jun-07, at 9:46 AM, Recordon, David wrote: > So please, check it out and let me know what you think...especially > around the questions in the Editorial Comments section at the end. Here are the issues that came up while I implemented PAPE in openid4java: 5.1 Request Parameters - Is preferred_auth_policies REQUIRED? Assume yes, but not clearly spelled out. - "the OP MUST authenticate the End User for this request." What if the OP / user don't want to re-authenticate, and have reasons to continue their session with the previous / old auth? (For example user changed his mind at the OP about buying the book from amazon, and declines the OP's request to re-authenticate). - "The OP should realize that not adhering to the request for re- authentication..." implies there is an alternative to the above (other than breaking the protocol). Maybe the MUST above should be a SHOULD? - (max_)auth_age is defined as "numeric". Is there value for allowing floating-point numbers here? Would be simpler to be an integer. 5.2 Response Parameters - auth_age: What should the value be if the OP did not actively authenticate the user for the current session? Suggesting "unknown" as a special value for this. - auth_age: Since the message may spend a (not-insignificant) time after it's created (by the library) before it's put on the wire on the wire while it's being processed by the RP a timestamp value may be better suited here (rename it to auth_time maybe?). This way the RP will be able to determine the auth_age at any time (e.g. when it actually needs to perform the sensitive operation). Could use the formating used for nonces (from RFC3339). - nist_auth_level: "Numeric value" - probably was meant as integer value. Thanks, Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
