[Openid-specs-ab] Simplifying preferred_locales and max_age

Brian Campbell bcampbell at pingidentity.com
Mon Feb 4 18:55:50 UTC 2013


In general isn't it really incumbent upon the client/RP to validate
security sensitive things, like auth_time and acr, as needed in the
response?

That's how I've read it anyway, that the client can make whatever request
it wants but that the OP isn't necessarily obligated (or capable) to live
up to what is requested. And the client needs to enforce things that are
important to it.

Is my interpretation wrong on that?

On Fri, Feb 1, 2013 at 5:09 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

>
> For max_age you don't necessarily want the user to be able to modify that
> in the request, that might cause security issues if auth_time is not
> required in the response, the RP may be thinking it is getting a stronger
> authentication than it is in reality.
>
> I would prefer to leave max_age in the signed request and not confuse the
> lower security parameter based request with it.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130204/bb0b0b99/attachment.html>


More information about the Openid-specs-ab mailing list