[PROPOSAL] authentication age
Kevin Turner
kevin at janrain.com
Mon Oct 2 18:51:51 UTC 2006
On Sun, 2006-10-01 at 20:07 +0100, Martin Atkins wrote:
[...]
> then some/most IdPs just won't bother. [...]
> a completely uncheckable assumption and is therefore broken by design.
>
> The best we can do is make it a MAY (that is, max_age is a *suggestion*
> from the RP) and hope that most IdPs do the right thing; we shouldn't
> write the spec in a way that misleads RP implementers into thinking
> they've actually got any real control here.
What he said.
I'd suggest drafting this feature as an extension. I know that weakens
it, but as Martin says, you can't count on it being there in any case,
so I think an optional extension is a much more straightforward way of
representing when this functionality is actually available.
More information about the specs
mailing list