OpenID Provider Authentication Policy Extension

Johnny Bufu johnny at sxip.com
Thu Aug 9 18:28:28 UTC 2007


Hi David,

> On 22-Jun-07, at 9:46 AM, Recordon, David wrote:
>> So please, check it out and let me know what you think...especially
>> around the questions in the Editorial Comments section at the end.
>
> Here are the issues that came up while I implemented PAPE in
> openid4java:
>
> [...]
>
> 5.2 Response Parameters
> [...]
> - auth_age: Since the message may spend a (not-insignificant) time
> after it's created (by the library)
> 	before it's put on the wire
> 	on the wire
> 	while it's being processed by the RP
> a timestamp value may be better suited here (rename it to auth_time
> maybe?). This way the RP will be able to determine the auth_age at
> any time (e.g. when it actually needs to perform the sensitive
> operation). Could use the formating used for nonces (from RFC3339).

On 21-Jul-07, at 4:55 PM, Recordon, David wrote:
> 5.2
>
> 2) I'm fine with time coming back instead of number of seconds.


I wanted to bring openid4java up to the latest PAPE spec, and it  
seems the above was not checked in yet. Do you still have it on your  
todo list, or would it help if I sent you a proposed patch for it?


Thanks,
Johnny




More information about the specs mailing list