[Openid-specs-ab] Spec call notes 13-Jun-11

[John Bradley]

PAPE doesn't require synchronized clocks.    I know Dirk was fixating on that at one point.

The request is in seconds.

The response is the time of the last authentication.  
Getting a pape.auth_time in the response tells you the IdP honoured the request.   The time itself is extra info.

In a lot of cases tracking the RP nonce will be more complicated.  

I don't hate the proposal, or anything like that.   

If the RP takes the nonce in the request, and puts it in the ID token, I don't see how that confirms that the IdP re prompted the user.  
If the request is unsigned then the user could have removed the prompt=login from the request.

Is prompt= in the returned ID token as well?

I can see the RP nonce being useful potentially for other RP state info perhaps.
Perhaps nonce is not the correct name?

John B.
On 2011-06-13, at 6:53 PM, Breno de Medeiros wrote:

>> 
>> They discussed a nonce parameter
>> 
>>                 John wasn't sure what they were trying to accomplish with
>> this
> 
> I think FB use case is to create a version of PAPE that doesn't
> require synchronized clocks. One can send a nonce and prompt=login and
> check the nonce to validate user was prompted. I found that
> interesting for discussion here.
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110613/1180f96a/attachment.html>