[PROPOSAL] authentication age
Martin Atkins
mart at degeneration.co.uk
Sun Oct 1 19:07:24 UTC 2006
Recordon, David wrote:
> No, IdP MUST perform and RP MAY include.
>
IdP implementations that are embedded into some other app might have
trouble implementing this. Take LiveJournal, for example: what should it
do in the case where it has to re-authenticate? End the user's LJ
session and force them to log in again? Duplicate the login code in the
OpenID server code?
Aside from that qualm, this is another one of those things where it's
pointless to make it a MUST since IdPs that don't implement it aren't
going to get punished in any way. If IdPs can get away without doing it,
and RPs can't tell that they have, then some/most IdPs just won't
bother. Sure, it reduces the usefulness of this feature, but this
feature is riding on a completely uncheckable assumption and is
therefore broken by design.
The best we can do is make it a MAY (that is, max_age is a *suggestion*
from the RP) and hope that most IdPs do the right thing; we shouldn't
write the spec in a way that misleads RP implementers into thinking
they've actually got any real control here.
More information about the specs
mailing list