PAPE Extension Specification
Jonathan Daugherty
cygnus at janrain.com
Thu Oct 4 21:45:06 UTC 2007
Hello specs list,
I'm currenly busy updating the openidenabled.com PHP OpenID
implementation to support PAPE[1].
I think we can agree that there's enough interest in this
specification to justify attempts to make it the best it can be.
Considering the purpose of the extension, it's especially important
for the spec to be clear.
I'm going to recommend some small changes (and ask a few questions).
Provided there's a consensus, I want to get a draft out in the near
future. I'm happy to write up the changes and commit them myself, but
they warrant some discussion. I don't expect this to take very long
and I don't think I have any controversial requests. So, with that
said,
Section 5.1
- This section does not declare any required parameters for a PAPE
request, and the "can be" qualifier in the first paragraph is too
weak. I suggest 1) making the openid.ns.pape parameter required
(which is implicit from the OpenID 2 extensions spec, at any rate)
and rewriting the first paragraph as:
A PAPE request consists of the following parameters:
- The description for max_auth_age mentions "active" vs. "indirect"
user authentication, but the spec defines neither. I had to read
5.1 and 5.2 a few times to figure out precisely what they meant.
Since the distinction is important, I think it would benefit from
some clarification. I'm not sure what the best wording would be.
- For max_auth_age, what does "in a manner fitting the requested
policies" mean 1) in the case where no policies were requested and
2) in the case where authentication was performed in accordance
with a *subset* of the requested policies?
A few more to follow after we knock these out. Thanks!
[1] <http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.txt>
--
Jonathan Daugherty
JanRain, Inc.
irc.freenode.net: cygnus in #openid
cygnus.myopenid.com
More information about the specs
mailing list