PAPE Extension Specification

[Jonathan Daugherty]

Hello specs list,

I'm currenly busy updating the openidenabled.com PHP OpenID
implementation to support PAPE[1].

I think we can agree that there's enough interest in this
specification to justify attempts to make it the best it can be.
Considering the purpose of the extension, it's especially important
for the spec to be clear.

I'm going to recommend some small changes (and ask a few questions).
Provided there's a consensus, I want to get a draft out in the near
future.  I'm happy to write up the changes and commit them myself, but
they warrant some discussion.  I don't expect this to take very long
and I don't think I have any controversial requests.  So, with that
said,

Section 5.1

  - This section does not declare any required parameters for a PAPE
    request, and the "can be" qualifier in the first paragraph is too
    weak.  I suggest 1) making the openid.ns.pape parameter required
    (which is implicit from the OpenID 2 extensions spec, at any rate)
    and rewriting the first paragraph as:

      A PAPE request consists of the following parameters:

  - The description for max_auth_age mentions "active" vs. "indirect"
    user authentication, but the spec defines neither.  I had to read
    5.1 and 5.2 a few times to figure out precisely what they meant.
    Since the distinction is important, I think it would benefit from
    some clarification.  I'm not sure what the best wording would be.

  - For max_auth_age, what does "in a manner fitting the requested
    policies" mean 1) in the case where no policies were requested and
    2) in the case where authentication was performed in accordance
    with a *subset* of the requested policies?

A few more to follow after we knock these out.  Thanks!

[1] <http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.txt>

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com