OpenID Provider Authentication Policy Extension
Johnny Bufu
johnny at sxip.com
Mon Jul 23 19:31:28 UTC 2007
On 21-Jul-07, at 4:55 PM, Recordon, David wrote:
> 5.1
> 1) Clarified.
>
> 2 & 3) Changed the MUST to a SHOULD, since the intent was never to
> restrict what a user could do.
>
> 4) Changed to "Integer"
>
> 2) I'm fine with time coming back instead of number of seconds.
>
> 3) Changed to integer.
Great, thanks. Were these checked-in? I don't see them in SVN yet.
> 5.2
> 1) What is the use-case for this? As the parameter always
> describes the
> policies returned in pape_auth_policies, the Provider should always
> know
> how long ago the user authenticated within the session.
Depending on how 'active authentication' is defined, there may be no
such authentication performed at all. If there is no 'active
authentication', there can't be an age for it either.
Specifically, Sxipper never prompts users for their password (that's
what I think 'active' means). Maybe also clarify then 'active
authentication'?
Or, if auth_age/time is intended to describe only the requested /
performed authentication policies, remove the 'active' word from the
description of the field, and define a new 'active authentication'
policy (which can be requested separately), and tie the auth_age/time
in the response to it.
Thanks,
Johnny
More information about the specs
mailing list