[PROPOSAL] authentication age
Martin Atkins
mart at degeneration.co.uk
Wed Oct 4 18:40:53 UTC 2006
Dick Hardt wrote:
> I find the argument that IdPs will just return success all the time
> to be baseless. A good IdP will do what it thinks is best for its
> users. A bad IdP will not have any users for any period of time.
I suppose it depends on what you consider to be "bad". Consider this:
* We have an RP that asks for a session age limit of one hour.
* GoodCitizen-IdP respects the session age thing and asks user to log in
again if it's been over an hour since they last did so.
* BadCitizen-IdP just ignores the flag and has sessions that last until
the user closes his browser, but it lies to the RP and says that it
respected the flag.
The user experience on GoodCitizen-IdP is "damnit, why do I have to keep
logging in over and over again?!". The user is likely to be much happier
with BadCitizen-IdP because he only has to log in once each day.
While it's true that BadCitizen-IdP might put its users at more risk,
it's been my experience that users are willing to trade an awful lot of
security to avoid software nagging at them repeatedly.
More information about the specs
mailing list