PAPE Extension Specification
Jonathan Daugherty
cygnus at janrain.com
Thu Oct 4 23:27:41 UTC 2007
# +1 on clarifying what "active" means. Before getting to wording, I'm
# not totally sure what would be considered active authentication and
# what wouldn't.
Agreed; that should be specified, too. If it can't be specified (I'm
inclined to believe it can't), then the spec should at least say
"whatever the OP considers 'direct authentication right now'" as
opposed to, say, state-based auth like a session cookie.
# > - For max_auth_age, what does "in a manner fitting the requested
# > policies" mean 1) in the case where no policies were requested
# > and 2) in the case where authentication was performed in
# > accordance with a *subset* of the requested policies?
#
# I believe auth_age in the response is meant to apply to the policies
# asserted in the response, rather than the ones requested. (Hinted by
# David's comment[1].) The RP can then see if there's a full or
# partial match, and decide if it's good enough.
In that case, I think "in a manner fitting the *requested* policies"
(emphasis mine) should be removed entirely. (That is, the RP is
imposing a limit, but it's not necessarily a limit on the type of
authentication it's asking for.)
# On the same topic, I have suggested before and there seemed to be
# agreement[1] that it's more useful if auth_age in the response is
# actually a timestamp (auth_time).
Ah, good point. The spec didn't get changed; was there anything else
holding that up?
Thanks,
--
Jonathan Daugherty
JanRain, Inc.
irc.freenode.net: cygnus in #openid
cygnus.myopenid.com
More information about the specs
mailing list