[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Thu May 14 17:02:55 UTC 2009
Openid auth has no ability to signal its reliance decisions to the op.
I can see a world in which rp metadata contains a set of reliance rules, which the idp ensures the assertion will satisfy (before the assertion is released.) if not, then the user is prompted to decide if visiting that is worth the cost of coming into compliance with the rp reliance policy.
For example: rapattoni rp says authinstant must be less than 5m. So when yahoo op is about to release assertions based on a user authentication done almost 2 weeks ago, it gives the user a choice: don't go there, or reauthenticate.
similarly
-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Thursday, May 14, 2009 12:04 PM
To: Peter Williams <pwilliams at rapattoni.com>
Cc: general at openid.net <general at openid.net>
Subject: RE: [OpenID] Password age and password reset
>If the user subscribes to 10 rps, can be being asked to change
>password by any of them, at any moment (at any of n idps) else be
>"locked out".
>
>So far, this is what has been said.
The policy for one RP does not extend to the other RP's - if the one
RP suspects that the user's password is too old (or too new), it can
send the user back to the OP with an assertion for and from ITSELF
(not any other RP's) that the user will be "locked out" from the one
RP until certain conditions have been met.
There is a related discussion on the specs list about group ID's,
some implementations of which could result in multiple concurrent
active sessions - usually a sign of suspicious activity.
-Shade
More information about the general
mailing list