[OpenID] Password age and password reset

Andrew Arnott andrewarnott at gmail.com
Wed May 13 23:54:13 UTC 2009 

Why do you say the RP doesn't know which OP introduced the current session?
If it cared to know, it could store that information easily enough.  Every
RP must be conscious of which OP asserted the user the last time he logged
into the RP in order to verify the assertion.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Wed, May 13, 2009 at 12:23 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

> In the delegated case , the rp does not know which op introduced the
> current session.  The id and endpoint of the  asserting op is not stored
> state info. The op used on the next run of openid auth may not be the same
> as the previous session (since it depends on on criteria, and the latest
> vals in the vanity xrds). If we had identiless transaction (that "resume" a
> previous security context, cryptographically) we'd be in better shape.
>
> -----Original Message-----
> From: Breno de Medeiros <breno at google.com>
> Sent: Wednesday, May 13, 2009 2:44 PM
> To: Peter Williams <pwilliams at rapattoni.com>
> Cc: Santosh Rajan <santrajan at gmail.com>; general at openid.net <
> general at openid.net>
> Subject: Re: [OpenID] Password age and password reset
>
>
> On Wed, May 13, 2009 at 11:07 AM, Peter Williams
> <pwilliams at rapattoni.com> wrote:
> > Out of interest, assuming the user has bound several openids to the rp
> account,which op gets all this data? The one introducing the current
> session, or all of them?
>
> I assume the OP that the user is trying to use to login now?
>
> >
> > Does the rp using a vanity openid need the users consent before reporting
> suspicious or improper (user) conduct to a third party (the op)? Or should
> the transfer be covert?
>
> In what I am proposing the transfer is intermediated by the browser,
> so not covert.
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090513/0946f28f/attachment.htm>

More information about the general mailing list