On 21-Jul-07, at 4:55 PM, Recordon, David wrote:
> 5.1
> 1) Clarified.
> 2 & 3) Changed the MUST to a SHOULD, since the intent was never to
> restrict what a user could do.
> 4) Changed to "Integer"
> 2) I'm fine with time coming back instead of number of seconds.
> 3) Changed to integer.

Great, thanks. Were these checked-in? I don't see them in SVN yet.

> 5.2
> 1) What is the use-case for this?  As the parameter always  
> describes the
> policies returned in pape_auth_policies, the Provider should always  
> know
> how long ago the user authenticated within the session.

Depending on how 'active authentication' is defined, there may be no  
such authentication performed at all. If there is no 'active  
authentication', there can't be an age for it either.

Specifically, Sxipper never prompts users for their password (that's  
what I think 'active' means). Maybe also clarify then 'active  

Or, if auth_age/time is intended to describe only the requested /  
performed authentication policies, remove the 'active' word from the  
description of the field, and define a new 'active authentication'  
policy (which can be requested separately), and tie the auth_age/time  
in the response to it.


specs mailing list

Reply via email to