[OpenID] Why spoofing and OpenID look so much alike
Allen Tom
atom at yahoo-inc.com
Mon Sep 29 16:47:17 UTC 2008
Peter Williams wrote:
> Out of interest, does yahoo challenge the user (persistently logged in via session cookie for 1.9 weeks) before s/he can a) use a registered credit card c) change membership/subcription info c) bid?
>
>
> A b and c are just 3 rp applications, of course: those that might have fussier challenge requirements than yahoomail sp.
>
>
Yes to all three. If the user is doing anything particularly sensitive
on the Yahoo network, we will reprompt the user to enter their password,
even if they're already logged in via a persistent cookie.
> Should opnenid auth have the mean for a sp to force the op to challenge (and thus renew the persisted cookie)?
>
The PAPE extension specifies a mechanism for the RP to tell the OP to
reauthenticate the user before sending the assertion. This is the
openid.age.max_auth_age parameter.
http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html#anchor7
Allen
More information about the general
mailing list