[PROPOSAL] authentication age

Recordon, David drecordon at verisign.com
Sun Oct 1 18:53:35 UTC 2006


No, IdP MUST perform and RP MAY include.

--David


-----Original Message-----
From: Dick Hardt [mailto:dick at sxip.com]
Sent: Sun 10/1/2006 7:52 AM
To: Recordon, David
Cc: specs at openid.net
Subject: Re: [PROPOSAL] authentication age
 
Better wording, thanks.

I was thinking the IdP MUST perform per the parameter. The RP MAY  
include it, so it is an optional parameter in the request.

Are you suggesting the RP MUST include it?

-- Dick

On 1-Oct-06, at 3:33 AM, Recordon, David wrote:

> I like this, though think minutes would be granular enough.  Just  
> to clarify, since it took me reading it a few times...
>
> Add an optional request parameter openid.auth_age which is a  
> positive integer.  This parameter allows the relying party to  
> request that if the identity provider has not renewed the session  
> with the user in the past X minutes, that it do so at this time.   
> If left out of the request, it is assumed that a session of any age  
> is acceptable for the transaction.  If 0, the RP is requesting  
> authentication be done on this request no matter the age of the  
> session.
>
> Assuming this be added, it would have to be a MUST in the spec to  
> be useful.
>
> --David
>
>
> -----Original Message-----
> From: specs-bounces at openid.net on behalf of Dick Hardt
> Sent: Sat 9/30/2006 5:04 PM
> To: specs at openid.net
> Subject: [PROPOSAL] authentication age
>
> Motivating Use Case:
> ----------------------------
>
> Different RPs will require different amounts of certainty about the
> user, and at times will have different requirements depending on what
> the user is doing. Eg. from existing web applications today. There is
> little concern when the user is getting personalized pages and a
> relatively old cookie may be adequate but the app will require the
> user to provide their password when changing their settings.
>
> Proposed Implementation
> -----------------------------------
>
> New, optional parameter in the request, "openid.auth_age" where the
> value is the number of seconds (minutes?) since the user last
> provided credentials. If the it has been longer since then that the
> IdP authenticated the user, then the IdP MUST authenticate the user
> again. A value of zero (0) means that the IdP MUST prompt the user
> for credentials.
>
> Issues
> --------
> There is no way to force an IdP to authenticate the user, but a
> "good" IdP implementation will follow the requests of the RP
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061001/f11b9c07/attachment-0001.htm>


More information about the specs mailing list