[security] [specs-pape] PAPE Policy for RPs to force authentication without browser cookie
John Bradley
jbradley at mac.com
Wed Jul 1 16:30:39 UTC 2009
That is why auth_age MUST be returned as a signed parameter in the
response.
That is the only way the RP has any idea the OP saw the request.
I happen to agree about signed requests but lets not boil the ocean on
this one.
John B.
On 1-Jul-09, at 2:11 AM, Nate Klingenstein wrote:
> Dick,
>
>> I am suggesting changing the spec for the privacy reasons you
>> stated. The RP does not need to know when the last auth was, just
>> that it met the RP's policy.
>
> How can this be done if the request isn't signed? Can't a user
> presenting the request change the max_auth_age to whatever it wants,
> or omit it entirely? "Yes, I met your requirement" doesn't mean
> much if the requirement itself can be trivially changed by the
> client and the RP has no indication this occurred.
>
> Confused,
> Nate.
> _______________________________________________
> specs-pape mailing list
> specs-pape at openid.net
> http://openid.net/mailman/listinfo/specs-pape
More information about the security
mailing list