[OpenID] Persistent logins

Nic James Ferrier nferrier at tapsellferrier.co.uk
Tue Mar 13 17:48:50 UTC 2007

"Max Metral" <max at artsalliancelabs.com> writes:

> I was afraid this might be the case.  It's a pretty big hole I would
> submit, because sites aren't going to make their members suffer by
> having to login repeatedly (if they don't want to), but members
> shouldn't have to answer that question many times, and I shouldn't have
> to sacrifice the ability to undo a previous decision (on a different
> machine).  So either the IDPs have to start implementing custom tools,
> or the protocol needs an extension. (or I'm missing something)
> In my past life I built Microsoft Passport, and I remember confronting
> these same problems.  I won't bore (or somehow compromise) the list by
> describing the solution, but suffice to say it was "unpleasant" but
> worked.  In the end, if check_auth isn't server-to-server only, it would
> seem we'd need that mechanism.  And it would be even better if the
> consumer got to specify it's desire for that kind of assertion up
> front.

There are solutions to the separate problem of machine to machine
identity assertion which might work.

I don't personally like those much though, given that I have a
provider that does silent authentication (http://prooveme.com)

Nic Ferrier
Need a linux/java/python/web hacker?  I'm in need of work!

More information about the general mailing list