Auth Age clarified

[Dick Hardt]

Clarification:

auth_age allows an RP to specify how long it has been since the IdP  
has authenticated the user. The use case of this is for sites that  
have different auth_age requirements for different sections of the  
site. For example, amazon.com lets me browse around the site with an  
fairly old auth_age, but when I go to purchase, amazon wants to make  
sure it is still me, and asks me for my password again.

With OpenID, the IdP is prompting the user for their password on  
behalf of the RP, so in order for amazon to have the same  
functionality with OpenID, amazon needs to be able to differentiate  
between an authn request that with a long auth_age and one with a  
zero auth_age.

Note that this is only a request from the RP. It is not a security  
requirement. I can have my browser autocomplete my password at  
amazon.com, so prompting me for my password again when I checkout  
provides no assurance it is still me at the browser, but it is *my*  
choice to do that, ie. the user's choice on how to deal with the  
prompt. Amazon is giving me the choice to have higher security on  
checkout then on browsing the site.

In other words, Amazon is giving the IdP context about the authn  
request. This is similar to the RP stating that a field in a form is  
required. There is nothing that forces the user to type anything in,  
it is a request.

This is different then an RP requesting strong authentication. This  
is a security request, and the RP must trust whoever is making the  
claim that strong authentication was performed.

Auth spec vs Extension

Although this functionality could be in an extension, it seems too be  
a lot of overhead for a single parameter. This is the AuthN spec  
after all, and auth_age is a parameter around what the IdP does wrt.  
AuthN.

-- Dick