[Openid-specs-ab] Simplifying preferred_locales and max_age

John Bradley ve7jtb at ve7jtb.com
Sat Feb 2 16:05:35 UTC 2013


Well there is no difference.  From a security point of view you probably don't want to use none as the request object signing alg of none.   

I prefer not to add something like a max age query parameters that is always subject to tampering. 

That said there is a certain Sumatra to allowing all the top level request object claims as query parameters, that is appealing. 

If we made it required to send auth_time in the response if max_age is requested unsigned that  would be ok with me as the RP could at least tell if its request was ignored or tampered with. 

John
Sent from my iPad

On 2013-02-02, at 7:09 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:

> Hi John,
> 
> where is the difference (from a security perspective) between query parameters and a request object sent with signature alg "none"?
> 
> regards,
> Torsten.
> 
> Am 02.02.2013 um 01:09 schrieb John Bradley <ve7jtb at ve7jtb.com>:
> 
>> For max_age you don't necessarily want the user to be able to modify that in the request, that might cause security issues if auth_time is not required in the response, the RP may be thinking it is getting a stronger authentication than it is in reality.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2915 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130202/002e29ea/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list