On 21-Jul-07, at 4:55 PM, Recordon, David wrote: > 5.1 > 1) Clarified. > > 2 & 3) Changed the MUST to a SHOULD, since the intent was never to > restrict what a user could do. > > 4) Changed to "Integer" > > 2) I'm fine with time coming back instead of number of seconds. > > 3) Changed to integer.
Great, thanks. Were these checked-in? I don't see them in SVN yet. > 5.2 > 1) What is the use-case for this? As the parameter always > describes the > policies returned in pape_auth_policies, the Provider should always > know > how long ago the user authenticated within the session. Depending on how 'active authentication' is defined, there may be no such authentication performed at all. If there is no 'active authentication', there can't be an age for it either. Specifically, Sxipper never prompts users for their password (that's what I think 'active' means). Maybe also clarify then 'active authentication'? Or, if auth_age/time is intended to describe only the requested / performed authentication policies, remove the 'active' word from the description of the field, and define a new 'active authentication' policy (which can be requested separately), and tie the auth_age/time in the response to it. Thanks, Johnny _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs