[Openid-specs-ab] acr values

Tim Bray tbray at textuality.com
Mon Aug 12 20:45:52 UTC 2013


An RP.


On Mon, Aug 12, 2013 at 1:30 PM, Anthony Nadalin <tonynad at microsoft.com>wrote:

>  Who do you want to say something about the “session strength” to? ****
>
> ** **
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Tim Bray
> *Sent:* Monday, August 12, 2013 1:05 PM
> *To:* <openid-specs-ab at lists.openid.net>
> *Subject:* [Openid-specs-ab] acr values****
>
> ** **
>
> In our IDP role, we’re coming under a lot of pressure to say something
> about “session strength” and maybe in some circumstances force re-auth and
> so on.  There are a lot of different vocabularies in play that you could
> use to talk about this stuff, including NIST and ISO publications; and the
> work of the Fido alliance is maybe interesting.  So I expect a lot of churn
> in this space, and OIDC needs to allow sufficient elbow room.****
>
> So, the purpose of this note is to confirm my understandings, based on
> looking at the OIDC Messages draft.  Do people agree with these?****
>
> - It’s perfectly OK to provide any old URI we dream up as a value for the
> “acr” claim.****
>
> - There may be awkwardness around multiple values; suppose I wanted to
> assert, for example, that the session is less than ten minutes old AND
> two-factor authent was used.    All I can think of is composing a URI along
> the lines of urn:google-auth-claims?max-age=10&two-factor=true; which is a
> little kludgy but I guess OK.  Awkward, though, in the case where there’s a
> Fido vocabulary for 2-factor-flavor and someone else’s vocabulary for
> session-freshness.****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130812/15c269c4/attachment.html>


More information about the Openid-specs-ab mailing list