[PROPOSAL] authentication age
Martin Atkins
mart at degeneration.co.uk
Mon Oct 2 06:48:21 UTC 2006
Recordon, David wrote:
> That was going to be my exact follow-up to my own message, though got
> distracted. What I phrased was how Dick described it.
>
> I like the feature, though agree that many IdPs may be unable to
> implement it due to how they do session handling. It could be augmented
> to also contain a response parameter telling the RP if the IdP
> acknowledged it, then the RP could make the decision if it wants to proceed.
>
But again, IdPs will just send it whether they did it or not, because
it's like a "make it work" flag; people will quickly forget/dismiss what
it really means and set it just to make their IdP work.
Unless you've got some way to *prove* that you did it (I can't think of
one) there's no point.
This also ignores the fact that not all "IdPs" are going to use sessions
and passwords. One could potentially make one that acts on a presented
certificate, for example. Or one which just returns "Yes" to everything
as an anonymising tool.
More information about the specs
mailing list