OpenID Provider Authentication Policy Extension

Recordon, David drecordon at verisign.com
Sat Jul 21 23:55:39 UTC 2007


5.1 
1) Clarified.

2 & 3) Changed the MUST to a SHOULD, since the intent was never to
restrict what a user could do.

4) Changed to "Integer"

5.2
1) What is the use-case for this?  As the parameter always describes the
policies returned in pape_auth_policies, the Provider should always know
how long ago the user authenticated within the session.

2) I'm fine with time coming back instead of number of seconds.

3) Changed to integer.

Thanks,
--David


 -----Original Message-----
From: Johnny Bufu [mailto:johnny at sxip.com] 
Sent: Thursday, June 28, 2007 7:31 PM
To: Recordon, David
Cc: specs at openid.net
Subject: Re: OpenID Provider Authentication Policy Extension

David,

On 22-Jun-07, at 9:46 AM, Recordon, David wrote:
> So please, check it out and let me know what you think...especially
> around the questions in the Editorial Comments section at the end.

Here are the issues that came up while I implemented PAPE in  
openid4java:


5.1 Request Parameters

- Is preferred_auth_policies REQUIRED? Assume yes, but not clearly  
spelled out.

- "the OP MUST authenticate the End User for this request."

What if the OP / user don't want to re-authenticate, and have reasons  
to continue their session with the previous / old auth? (For example  
user changed his mind at the OP about buying the book from amazon,  
and declines the OP's request to re-authenticate).

- "The OP should realize that not adhering to the request for re- 
authentication..." implies there is an alternative to the above  
(other than breaking the protocol). Maybe the MUST above should be a  
SHOULD?

- (max_)auth_age is defined as "numeric". Is there value for allowing  
floating-point numbers here? Would be simpler to be an integer.


5.2 Response Parameters

- auth_age: What should the value be if the OP did not actively  
authenticate the user for the current session? Suggesting "unknown"  
as a special value for this.

- auth_age: Since the message may spend a (not-insignificant) time  
after it's created (by the library)
	before it's put on the wire
	on the wire
	while it's being processed by the RP
a timestamp value may be better suited here (rename it to auth_time  
maybe?). This way the RP will be able to determine the auth_age at  
any time (e.g. when it actually needs to perform the sensitive  
operation). Could use the formating used for nonces (from RFC3339).

- nist_auth_level: "Numeric value" - probably was meant as integer  
value.


Thanks,
Johnny




More information about the specs mailing list