[security] PAPE Policy for RPs to force authentication without browser cookie
Dick Hardt
dick.hardt at gmail.com
Wed Jul 1 16:45:32 UTC 2009
On 30-Jun-09, at 11:11 PM, Nate Klingenstein wrote:
> Dick,
>
>> I am suggesting changing the spec for the privacy reasons you
>> stated. The RP does not need to know when the last auth was, just
>> that it met the RP's policy.
>
> How can this be done if the request isn't signed? Can't a user
> presenting the request change the max_auth_age to whatever it wants,
> or omit it entirely? "Yes, I met your requirement" doesn't mean
> much if the requirement itself can be trivially changed by the
> client and the RP has no indication this occurred.
My suggestion was that max_auth_age was also in the response, which is
signed, so that the RP knows what the OP said it did.
-- Dick
More information about the security
mailing list