<head>
<style>
code {
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
}
p {
min-height: 19.5px; /* Set a minimum height so empty p tags still take up vertical space; matches gmail empty line height */
border-radius: 0px;
}
ol.custom-editor-ordered-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
ul.custom-editor-bullet-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
pre.custom-editor-code-block-class {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgba(135,131,120,.15);
min-width: 0px;
width: 100%;
box-sizing: border-box;
}
hr.custom-editor-divider-class {
border: none;
border-top: 1px solid rgba(135,131,120,.15);
width: 100%;
}
blockquote {
border-left: 3px solid currentcolor;
padding-inline-start: 14px;
margin: 0px;
margin-top: 4px;
font-size: 1em;
padding-right: 2px;
padding-top: 3px;
padding-bottom: 3px;
padding-left: 14px;
}
blockquote.light {
border-left-color: rgba(55, 53, 47, 0.16);
}
blockquote.dark {
border-left-color: rgba(255, 255, 255, 0.13);
}
aside {
display: flex;
width: 100%;
max-width: 100%;
box-sizing: border-box;
border-radius: 4px;
background: rgba(135,131,120,.15);
padding: 16px 16px 16px 12px;
white-space: pre-wrap;
word-break: break-word;
}
.callout-emoji {
user-select: none;
display: flex;
align-items: center;
justify-content: center;
height: 24px;
width: 24px;
font-size: 21.6px;
box-sizing: border-box;
margin-top: -3px;
border-radius: 0.25em;
flex-shrink: 0;
flex-grow: 0;
}
.callout-emoji > img {
height: 18px;
width: 18px;
margin-top: auto;
margin-bottom: auto;
}
.callout-content {
margin-left: 8px;
margin-top: auto;
display: table;
width: 100%;
}
.custom-editor-task-list-class {
list-style: none;
padding: 0;
margin: 0;
}
.custom-editor-task-item-class {
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label {
margin-right: 0.5rem;
cursor: pointer;
user-select: none;
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label > input[type="checkbox"] {
margin-right: 0.5rem;
}
.custom-editor-task-item-checked-class > * {
text-decoration: line-through rgba(55, 53, 47, 0.42);
color: rgba(55, 53, 47, 0.65);
}
.custom-editor-rendered-mention {
opacity: 0.6;
color: unset;
}
.custom-editor-rendered-mention > a {
color: unset;
}
.custom-editor-rendered-mention-page {
font-weight: 500;
max-width: 200px;
}
.custom-editor-rendered-mention-page > a {
color: unset;
}
.custom-editor-rendered-mention-page-link {
border-bottom: 0.05em solid rgba(95, 94, 91, 1);
text-decoration: none !important;
}
pre {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgb(247, 246, 243);
min-width: 0px;
width: 100%;
box-sizing: border-box;
text-wrap: wrap;
}
a.custom-editor-link-class {
color: rgba(120, 119, 116, 1);
cursor: pointer;
text-decoration-thickness: 0.05em;
text-underline-offset: 3px;
}
</style>
<style>
* {
-webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-webkit-font-smoothing: antialiased;
line-height: 1.3;
font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, "Apple Color Emoji", Arial, sans-serif, "Segoe UI Emoji", "Segoe UI Symbol";
}
p {
margin: 0px 0px 0px 0px !important;
}
</style>
</head>
<body>
<p dir="auto">Thanks Aaron and Dima.</p><p dir="auto"></p><p dir="auto">If we make the <code class="custom-editor-code-class">auth_time</code> claim mandatory, how would an RP signal that the claim is not fresh enough and the user needs reauthentication for this RP? The RP could then set <code class="custom-editor-code-class">max_age=0</code> or <code class="custom-editor-code-class">prompt=login</code>, but that would lead to interop inconsistency with both parameters being optional. </p><p dir="auto">If we require both <code class="custom-editor-code-class">max_age</code> and <code class="custom-editor-code-class">auth_time</code>, we eliminate any optionality, allow both the OP and RP to set the maximum authentication age before reauthentication, and provide a consistent mechanism for an RP to request a fresh authentication (<code class="custom-editor-code-class">max_age=0</code>).</p><p dir="auto"></p><p dir="auto">Another alternative is to mandate support for <code class="custom-editor-code-class">prompt=login</code> at the OP, leaving it an optional param for the RP. </p><p dir="auto"></p><p dir="auto">Thoughts?</p><p dir="auto">-dhs</p><p dir="auto"></p><blockquote dir="auto" class="notion-mail-quote custom-editor-blockquote-class"><p dir="auto">On Tue, 17 Jun 2025 22:18:05 GMT Aaron Parecki wrote:</p><div dir="auto"><p dir="auto">> Re MUSTs I made an assumption that the spec should take care of many different use cases, not just NIST FAL2 and "I don't trust my OP" subset.<br><br></p><div dir="auto"><p dir="auto">We are using FAL2 as a shortcut for a bunch of security features we know people will want. But this process of going through the FAL2 requirements list is to make the decisions about which of these we want to actually be in scope for IPSIE. We don't *need* to meet all the FAL2 requirements (and we've already decided that some are out of scope).</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">IPSIE is not intended to cover many different use cases, it is intended to cover the specific use cases of integrating apps with an enterprise IdP.</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">> So you are saying that every time RP will ask OP to enforce it but also not fully trusting OP will double check and enforce it too? Just in case...</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">Sort of yes, but also: currently the two methods an RP has to ask for the auth_time claim are the max_age parameter or Extended Claims, and I don't think we want to bring in Extended Claims.</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">I suppose another option here is to just make the auth_time claim mandatory, since it is optional in OIDC today, and then just not address the max_age question at all.</p></div><div dir="auto"><p dir="auto"><br></p></div></div><p dir="auto"><br></p><div dir="auto" class="gmail_quote gmail_quote_container"><div dir="auto" class="gmail_attr"><p dir="auto">On Tue, Jun 17, 2025 at 3:12 PM Dima Postnikov <<a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:dima@postnikov.net">dima@postnikov.net</a>> wrote:<br></p></div><blockquote dir="auto" class="notion-mail-quote custom-editor-blockquote-class"><div dir="auto"><p dir="auto">Yes, it's about who is responsible for enforcement.</p><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">So you are saying that every time RP will ask OP to enforce it but also not fully trusting OP will double check and enforce it too? Just in case...</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">Re MUSTs I made an assumption that the spec should take care of many different use cases, not just NIST FAL2 and "I don't trust my OP" subset.</p></div><div dir="auto"><p dir="auto">It's just a personal opinion, I will leave it up to you...</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto"><br></p></div></div><p dir="auto"><br></p><div dir="auto" class="gmail_quote"><div dir="auto" class="gmail_attr"><p dir="auto">On Wed, Jun 18, 2025 at 7:58 AM Aaron Parecki <<a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:aaron@parecki.com">aaron@parecki.com</a>> wrote:<br></p></div><blockquote dir="auto" class="notion-mail-quote custom-editor-blockquote-class"><div dir="auto"><div dir="auto"><p dir="auto">The RP asking the OP to enforce the max_age *is* the RP asking to enforce its own policy. It then also gets the auth_time claim to confirm the policy it intended was met.</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">Plus, IPSIE *is* the profile where these would be a MUST. We are trying to avoid adding optionality within an IPSIE level.</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto"><br></p></div></div><p dir="auto"><br></p><div dir="auto" class="gmail_quote"><div dir="auto" class="gmail_attr"><p dir="auto">On Tue, Jun 17, 2025 at 2:48 PM Dima Postnikov via Openid-specs-ipsie <<a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:openid-specs-ipsie@lists.openid.net">openid-specs-ipsie@lists.openid.net</a>> wrote:<br></p></div><blockquote dir="auto" class="notion-mail-quote custom-editor-blockquote-class"><div dir="auto"><div dir="auto"><p dir="auto">Hi Dean,</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">Without too much background on this issue, I feel like we are mixing 2 approaches:</p></div><div dir="auto"><p dir="auto">1) RP asking OP to enforce max_age policy</p></div><div dir="auto"><p dir="auto">2) RP asking for raw <span style="font-family:SFMono-Regular,Menlo,Consolas,"PT Mono","Liberation Mono",Courier,monospace">auth_time</span> to enforce its own policy. </p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">I feel like both are not always necessary? </p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">There might be a profile of the spec that has these MUSTs but not a core spec?</p></div><div dir="auto"><p dir="auto"><br></p></div><div dir="auto"><p dir="auto">Regards,</p></div><div dir="auto"><p dir="auto">Dima</p></div><p dir="auto"><br></p><div dir="auto" class="gmail_quote"><div dir="auto" class="gmail_attr"><p dir="auto">On Wed, Jun 18, 2025 at 7:16 AM Dean H. Saxe via Openid-specs-ipsie <<a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:openid-specs-ipsie@lists.openid.net">openid-specs-ipsie@lists.openid.net</a>> wrote:<br></p></div><blockquote dir="auto" class="notion-mail-quote custom-editor-blockquote-class"><div dir="auto"><div dir="auto"><p dir="auto">TL;DR; - NIST FAL2 requires the RP to be able to specify a maximum age since last authentication in its request to the OP. FAL2 also requires the OP to communicate the timestamp of the last authentication event to the RP. These controls exist to enable the OP and RP to each enforce their own business rules around authentication time and need to be considered for IPSIE.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">On today’s IPSIE call we discussed the two issues (#89, #90) and a related PR which attempt to address these concerns. Following a good discussion (located here until the minutes are migrated to the IPSIE Wiki), we agreed to take this discussion to the mailing list. In a nutshell, the discussion comes down to whether the OP or RP should control whether the authentication event has occurred recently enough to be acceptable.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">After listening to the discussion this morning, my perspective is that both the OP and RP have an interest in ensuring recency of authentication.</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">The OP’s interest is to ensure that authentication has occurred with sufficient recency to allow another federated authentication event to be processed. The OP is, absent a signal from the RP, unaware of the RP’s recency requirements. Enterprises may choose to enforce this rule centrally at the OP.</p></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">The RPs interest is in protecting the users and the RP’s brand. The RP may not trust that the IdP has been configured in a sufficiently secure manner and wants to enforce authentication controls to protect itself.</p></li></ul><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">In order to ensure both the OP and RP’s concerns are represented, controls can be established, and the controls do not reduce interop, I have pushed a PR to codify the requirements for the parameter and claim. The PR makes three changes:</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">First, the following lines have been added as a requirement for OPs issuing ID tokens:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">MUST contain the<code class="custom-editor-code-class">auth_time</code>claim to describe when end user authentication last occurred (see Note 4);</p></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">Note 4: This claim is required to satisfy the requirements in Section 4.7 of [NIST.FAL].</p></li></ul></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">Second, the OpenID providers authorization code flow has been updated with the following requirements:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">MUST support the <code class="custom-editor-code-class">max_age</code>parameter with a values representing the maximum number of seconds allowable since the user was authenticated by the OP. If the elapsed time since authentication is less than this value, the OP MAY choose to actively reauthenticate the user. If the elapsed time since authentication is greater than this value, the OP MUST actively reauthenticate the user.</p></li></ul></li><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">Third, the RP must send the max_age as a parameter:</p><ul class="custom-editor-bullet-list-class" dir="auto"><li dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">MUST use the <code class="custom-editor-code-class">max_age</code> parameter in the authentication request to specify the maximum allowable authentication age to the OP in seconds. The <code class="custom-editor-code-class">max_age</code> parameter value MAY be determined based upon the business rules of the RP.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px"></p></li></ul></li></ul><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">I believe that this balances the concerns of both OPs and RPs, does not introduce any interop concerns, and allows both the RP and OP an opportunity to control the recency of an authentication event.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">I appreciate any additional comments or feedback on the issues and PR ahead of next week’s call. Ideally we’ll be able to come to rough consensus ahead of the call, allowing the WG to move forward and close these issues soon.</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">Thanks,</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px">-dhs</p><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,"system-ui","Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;color:rgb(29,27,22);font-size:14px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:-0.15px;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;white-space:normal;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;margin:0px"></p><div dir="auto"><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">--</p><div dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol""><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px">Dean H. Saxe</p></div><div dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol""><p dir="auto" style="line-height:1.3;font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol";min-height:19.5px;border-radius:0px;margin:0px"><a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:dean@thesax.es">dean@thesax.es</a></p></div></div></div><p dir="auto"> -- <br>Openid-specs-ipsie mailing list<br><a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:Openid-specs-ipsie@lists.openid.net">Openid-specs-ipsie@lists.openid.net</a><br><a target="_blank" rel="noreferrer" class="custom-editor-link-class" href="https://lists.openid.net/mailman/listinfo/openid-specs-ipsie">https://lists.openid.net/mailman/listinfo/openid-specs-ipsie</a><br></p></div></blockquote></div></div><p dir="auto"> -- <br>Openid-specs-ipsie mailing list<br><a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:Openid-specs-ipsie@lists.openid.net">Openid-specs-ipsie@lists.openid.net</a><br><a target="_blank" rel="noreferrer" class="custom-editor-link-class" href="https://lists.openid.net/mailman/listinfo/openid-specs-ipsie">https://lists.openid.net/mailman/listinfo/openid-specs-ipsie</a><br></p></blockquote></div></blockquote></div></blockquote></div></blockquote>
</body>