[PROPOSAL] authentication age

[Martin Atkins]

Dick Hardt wrote:
> I find the argument that IdPs will just return success all the time  
> to be baseless. A good IdP will do what it thinks is best for its  
> users. A bad IdP will not have any users for any period of time.  

I suppose it depends on what you consider to be "bad". Consider this:

* We have an RP that asks for a session age limit of one hour.

* GoodCitizen-IdP respects the session age thing and asks user to log in 
again if it's been over an hour since they last did so.

* BadCitizen-IdP just ignores the flag and has sessions that last until 
the user closes his browser, but it lies to the RP and says that it 
respected the flag.

The user experience on GoodCitizen-IdP is "damnit, why do I have to keep 
logging in over and over again?!". The user is likely to be much happier 
with BadCitizen-IdP because he only has to log in once each day.

While it's true that BadCitizen-IdP might put its users at more risk, 
it's been my experience that users are willing to trade an awful lot of 
security to avoid software nagging at them repeatedly.