[OT] our cookie expiration
Dick Hardt
dick at sxip.com
Mon Oct 9 21:29:09 UTC 2006
On 9-Oct-06, at 1:12 AM, Josh Hoyt wrote:
> On 10/8/06, Dick Hardt <dick at sxip.com> wrote:
>> [...] I would want the site to prompt for a password if I was
>> doing something
>> important. The only way for the IdP to know that is for the RP to
>> tell it somehow -> auth_age request.
>
> This is only useful in conjunction with signed requests. A malicious
> 3rd party could easily remove whatever parameter(s) in the request
> that made the IdP prompt for the password. If the request is not
> signed, it's a false sense of security at best.
Not true. The malicious 3rd party can modify the request, but not the
response.
The response would contain the auth_age parameter as well, so the RP
would know if the IdP was claiming to have performed the request.
-- Dick
More information about the specs
mailing list