[OpenID] Persistent logins
Calvin Cheng
cxcheng at mac.com
Tue Mar 13 18:01:44 UTC 2007
I understand why OpenID should not be a distributed session management system.
However, perhaps RPs can request for validate identity not just on "one time" or "forever" basis, but on a "session" basis where OpenID can issue a secure session key. Just thinking aloud.
On Tuesday, March 13, 2007, at 10:48AM, "Nic James Ferrier" <nferrier at tapsellferrier.co.uk> wrote:
>"Max Metral" <max at artsalliancelabs.com> writes:
>
>> I was afraid this might be the case. It's a pretty big hole I would
>> submit, because sites aren't going to make their members suffer by
>> having to login repeatedly (if they don't want to), but members
>> shouldn't have to answer that question many times, and I shouldn't have
>> to sacrifice the ability to undo a previous decision (on a different
>> machine). So either the IDPs have to start implementing custom tools,
>> or the protocol needs an extension. (or I'm missing something)
>>
>> In my past life I built Microsoft Passport, and I remember confronting
>> these same problems. I won't bore (or somehow compromise) the list by
>> describing the solution, but suffice to say it was "unpleasant" but
>> worked. In the end, if check_auth isn't server-to-server only, it would
>> seem we'd need that mechanism. And it would be even better if the
>> consumer got to specify it's desire for that kind of assertion up
>> front.
>
>There are solutions to the separate problem of machine to machine
>identity assertion which might work.
>
>I don't personally like those much though, given that I have a
>provider that does silent authentication (http://prooveme.com)
>
>
>--
>Nic Ferrier
>----------------------------------------------------------
>Need a linux/java/python/web hacker? I'm in need of work!
>----------------------------------------------------------
>http://www.tapsellferrier.co.uk
>
>
More information about the general
mailing list