[OpenID] Recycling OpenIDs
Evan Prodromou
evan at prodromou.name
Mon Jun 11 12:30:47 UTC 2007
On Sat, 2007-09-06 at 09:47 -0400, Evan Prodromou wrote:
> If relying parties require some high level of authentication, we have
> ways to specify that.
I think I should have been more specific here: the best way to solve the
ID lifetime problem is to add a parameter to AQE that lets the OP
specify the expected lifetime of the identifier.
enroll.lifetime - integer, time in days that the OP expects the
identifier to identify the current principal. Some sample
values:
* 0: the identifier could belong to a different principal
at any time. For example, anonymous OPs or OPs where
users can manually change their own identifiers to any
unused value at will.
* Session: the identifier will belong to the current
principal for the duration of the principal's browser
session.
* 730: the OP recycles identifiers if they haven't been
used in 2 years.
* Inf: the OP's policy is that the identifier will be used
for only one principal. "Infinity" is an ideal
expectation, subject to the lifetime of the OP, of the
OpenID protocol, of the Internet, and of the universe.
More immediately, there may be changes to the policy in
the future.
Note that there is no way to specify non-zero lifetimes shorter
than one day, and that the special non-integer strings "Session"
and "Inf" are acceptable values.
I'm actually not sure how to implement an OP that would use "Session" --
possibly with a browser plugin? -- but I included it for completeness.
-Evan
--
Evan Prodromou <evan at prodromou.name>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4422 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070611/d01d2f0f/attachment-0002.bin>
More information about the general
mailing list