<br><br><div class="gmail_quote">On Tue, Jun 30, 2009 at 11:11 PM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Dick,<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am suggesting changing the spec for the privacy reasons you stated. The RP does not need to know when the last auth was, just that it met the RP's policy.<br>
</blockquote>
<br></div>
How can this be done if the request isn't signed? Can't a user presenting the request change the max_auth_age to whatever it wants, or omit it entirely? "Yes, I met your requirement" doesn't mean much if the requirement itself can be trivially changed by the client and the RP has no indication this occurred.<br>
</blockquote><div><br></div><div>Good catch. That's another argument for max_auth_age in the request merely being a hint, and auth_time in the response being the thing that matters.</div><div><br></div><div>Dirk.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
Confused,<br><font color="#888888">
Nate.</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
</div></div></blockquote></div><br>