[PROPOSAL] authentication age

Kevin Turner kevin at janrain.com
Mon Oct 2 18:51:51 UTC 2006


On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
[...]
> then some/most IdPs just won't bother. [...]
> a completely uncheckable assumption and is therefore broken by design.
>
> The best we can do is make it a MAY (that is, max_age is a *suggestion* 
> from the RP) and hope that most IdPs do the right thing; we shouldn't 
> write the spec in a way that misleads RP implementers into thinking 
> they've actually got any real control here.

What he said.

I'd suggest drafting this feature as an extension.  I know that weakens
it, but as Martin says, you can't count on it being there in any case,
so I think an optional extension is a much more straightforward way of
representing when this functionality is actually available.





More information about the specs mailing list