[security] PAPE Policy for RPs to force authentication without browser cookie
John Bradley
jbradley at mac.com
Thu Jul 2 00:33:29 UTC 2009
The simple solution is to put an upper bound on the max_auth_age.
If the OP doesn't want to disclose that you logged in 23h ago but
would be willing to disclose up to 4h ago it can always prompt the
user to re-authenticate if they did there last login more than 4h ago.
Nothing in the PAPE spec restricts an OP from doing that.
If OP's start creatively interpreting PAPE it will have no value to RPs.
There is a clear way to honor the RP's request and preserve privacy.
If the OP is that concerned about privacy they can prompt the user to
authenticate each time.
If the PAPE parameters have changed from the users original
authentication they need to be re-authenticated anyway.
John B.
On 1-Jul-09, at 8:10 PM, James A. Donald wrote:
> SitG Admin wrote:
>> Let's combine this with checkid_immediate: who needs the OP to say
>> anything? Just query it again and again until you've narrowed down
>> the user's last login to whatever degree of precision you wanted.
>
> Limit the number of max auth ages that can be specified by any one
> RP within a reasonable period.
>
>
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
More information about the security
mailing list