[security] PAPE Policy for RPs to force authentication without browser cookie
Dirk Balfanz
balfanz at google.com
Wed Jul 1 06:18:54 UTC 2009
On Tue, Jun 30, 2009 at 11:11 PM, Nate Klingenstein <ndk at internet2.edu>wrote:
> Dick,
>
> I am suggesting changing the spec for the privacy reasons you stated. The
>> RP does not need to know when the last auth was, just that it met the RP's
>> policy.
>>
>
> How can this be done if the request isn't signed? Can't a user presenting
> the request change the max_auth_age to whatever it wants, or omit it
> entirely? "Yes, I met your requirement" doesn't mean much if the
> requirement itself can be trivially changed by the client and the RP has no
> indication this occurred.
>
Good catch. That's another argument for max_auth_age in the request merely
being a hint, and auth_time in the response being the thing that matters.
Dirk.
>
> Confused,
> Nate.
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090630/0af25353/attachment.htm>
More information about the security
mailing list