<div dir="ltr">An RP. <br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 12, 2013 at 1:30 PM, Anthony Nadalin <span dir="ltr"><<a href="mailto:tonynad@microsoft.com" target="_blank">tonynad@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="#0563C1" vlink="#954F72" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Who do you want to say something about the “session strength” to?
<u></u><u></u></span></p>
<p class="MsoNormal"><a name="140743900e136421__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></a></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Tim Bray<br>
<b>Sent:</b> Monday, August 12, 2013 1:05 PM<br>
<b>To:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> [Openid-specs-ab] acr values<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">In our IDP role, we’re coming under a lot of pressure to say something about “session strength” and maybe in some circumstances force re-auth and so on. There are a lot of different vocabularies in play that
you could use to talk about this stuff, including NIST and ISO publications; and the work of the Fido alliance is maybe interesting. So I expect a lot of churn in this space, and OIDC needs to allow sufficient elbow room.<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">So, the purpose of this note is to confirm my understandings, based on looking at the OIDC Messages draft. Do people agree with these?<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">- It’s perfectly OK to provide any old URI we dream up as a value for the “acr” claim.<u></u><u></u></p>
</div>
<p class="MsoNormal">- There may be awkwardness around multiple values; suppose I wanted to assert, for example, that the session is less than ten minutes old AND two-factor authent was used. All I can think of is composing a URI along the lines of urn:google-auth-claims?max-age=10&two-factor=true;
which is a little kludgy but I guess OK. Awkward, though, in the case where there’s a Fido vocabulary for 2-factor-flavor and someone else’s vocabulary for session-freshness.<u></u><u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div>