FW: Identifier Liftetime (WAS: RE: [OpenID] Recycling OpenIDs)
Recordon, David
drecordon at verisign.com
Sun Jul 8 19:21:43 UTC 2007
Just food for thought some day...
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Evan Prodromou
Sent: Monday, June 11, 2007 5:31 AM
To: openid-general
Subject: Re: [OpenID] Recycling OpenIDs
On Sat, 2007-09-06 at 09:47 -0400, Evan Prodromou wrote:
> If relying parties require some high level of authentication, we have
> ways to specify that.
I think I should have been more specific here: the best way to solve the
ID lifetime problem is to add a parameter to AQE that lets the OP
specify the expected lifetime of the identifier.
enroll.lifetime - integer, time in days that the OP expects the
identifier to identify the current principal. Some sample
values:
* 0: the identifier could belong to a different principal
at any time. For example, anonymous OPs or OPs where
users can manually change their own identifiers to any
unused value at will.
* Session: the identifier will belong to the current
principal for the duration of the principal's browser
session.
* 730: the OP recycles identifiers if they haven't been
used in 2 years.
* Inf: the OP's policy is that the identifier will be used
for only one principal. "Infinity" is an ideal
expectation, subject to the lifetime of the OP, of the
OpenID protocol, of the Internet, and of the universe.
More immediately, there may be changes to the policy in
the future.
Note that there is no way to specify non-zero lifetimes shorter
than one day, and that the special non-integer strings "Session"
and "Inf" are acceptable values.
I'm actually not sure how to implement an OP that would use "Session" --
possibly with a browser plugin? -- but I included it for completeness.
-Evan
--
Evan Prodromou <evan at prodromou.name>
More information about the specs
mailing list