[PROPOSAL] authentication age
Kevin Turner
kevin at janrain.com
Mon Oct 2 19:29:17 UTC 2006
On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote:
> It could be augmented to also contain a response parameter telling the
> RP if the IdP acknowledged it, then the RP could make the decision if
> it wants to proceed.
You will want that response parameter. Otherwise, couldn't I (as the
attacker who has the user's IdP cookie) just drop the auth_age parameter
from the checkid request?
More information about the specs
mailing list