[OpenID] Persistent logins

Calvin Cheng cxcheng at mac.com
Tue Mar 13 18:01:44 UTC 2007

I understand why OpenID should not be a distributed session management system.
However, perhaps RPs can request for validate identity not just on "one time" or "forever" basis, but on a "session" basis where OpenID can issue a secure session key. Just thinking aloud.

On Tuesday, March 13, 2007, at 10:48AM, "Nic James Ferrier" <nferrier at tapsellferrier.co.uk> wrote:
>"Max Metral" <max at artsalliancelabs.com> writes:
>> I was afraid this might be the case.  It's a pretty big hole I would
>> submit, because sites aren't going to make their members suffer by
>> having to login repeatedly (if they don't want to), but members
>> shouldn't have to answer that question many times, and I shouldn't have
>> to sacrifice the ability to undo a previous decision (on a different
>> machine).  So either the IDPs have to start implementing custom tools,
>> or the protocol needs an extension. (or I'm missing something)
>> In my past life I built Microsoft Passport, and I remember confronting
>> these same problems.  I won't bore (or somehow compromise) the list by
>> describing the solution, but suffice to say it was "unpleasant" but
>> worked.  In the end, if check_auth isn't server-to-server only, it would
>> seem we'd need that mechanism.  And it would be even better if the
>> consumer got to specify it's desire for that kind of assertion up
>> front.
>There are solutions to the separate problem of machine to machine
>identity assertion which might work.
>I don't personally like those much though, given that I have a
>provider that does silent authentication (http://prooveme.com)
>Nic Ferrier
>Need a linux/java/python/web hacker?  I'm in need of work!

More information about the general mailing list