[PROPOSAL] authentication age

[Martin Atkins]

Recordon, David wrote:
> That was going to be my exact follow-up to my own message, though got 
> distracted.  What I phrased was how Dick described it.
> 
> I like the feature, though agree that many IdPs may be unable to 
> implement it due to how they do session handling.  It could be augmented 
> to also contain a response parameter telling the RP if the IdP 
> acknowledged it, then the RP could make the decision if it wants to proceed.
> 

But again, IdPs will just send it whether they did it or not, because 
it's like a "make it work" flag; people will quickly forget/dismiss what 
it really means and set it just to make their IdP work.

Unless you've got some way to *prove* that you did it (I can't think of 
one) there's no point.

This also ignores the fact that not all "IdPs" are going to use sessions 
and passwords. One could potentially make one that acts on a presented 
certificate, for example. Or one which just returns "Yes" to everything 
as an anonymising tool.