[Openid-specs-ab] Simplifying preferred_locales and max_age

Brian Campbell bcampbell at pingidentity.com
Mon Feb 4 19:53:27 UTC 2013


I wasn't saying that there shouldn't be a way to ask for auth_time. But
rather questioning the claim (pun intended) that singing the max_auth_age
request was really that important or provided a great deal of value (as the
client should validate what it gets back regardless of what it asked for).


On Mon, Feb 4, 2013 at 12:12 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> No but there are currently two separate requests, one for the max_auth_age
> and the other requesting the auth_time claim.  The current spec doesn't
> couple them.
> Removing a way for the client to ask for auth_time in the response to
> determine if max_auth_age was acted on is a problem.
>
> The solution may be simple by just saying that you need to return
> auth_time if the authorization server honours the max_auth_age request.
>
>
> On 2013-02-04, at 11:55 AM, Brian Campbell <bcampbell at pingidentity.com>
> wrote:
>
> In general isn't it really incumbent upon the client/RP to validate
> security sensitive things, like auth_time and acr, as needed in the
> response?
>
> That's how I've read it anyway, that the client can make whatever request
> it wants but that the OP isn't necessarily obligated (or capable) to live
> up to what is requested. And the client needs to enforce things that are
> important to it.
>
> Is my interpretation wrong on that?
>
> On Fri, Feb 1, 2013 at 5:09 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>>
>> For max_age you don't necessarily want the user to be able to modify that
>> in the request, that might cause security issues if auth_time is not
>> required in the response, the RP may be thinking it is getting a stronger
>> authentication than it is in reality.
>>
>> I would prefer to leave max_age in the signed request and not confuse the
>> lower security parameter based request with it.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130204/0c9734fa/attachment.html>


More information about the Openid-specs-ab mailing list