PAPE Extension Specification
Johnny Bufu
johnny at sxip.com
Thu Oct 4 23:03:27 UTC 2007
On 4-Oct-07, at 2:45 PM, Jonathan Daugherty wrote:
> - The description for max_auth_age mentions "active" vs. "indirect"
> user authentication, but the spec defines neither. I had to read
> 5.1 and 5.2 a few times to figure out precisely what they meant.
> Since the distinction is important, I think it would benefit from
> some clarification. I'm not sure what the best wording would be.
+1 on clarifying what "active" means. Before getting to wording, I'm
not totally sure what would be considered active authentication and
what wouldn't.
> - For max_auth_age, what does "in a manner fitting the requested
> policies" mean 1) in the case where no policies were requested and
> 2) in the case where authentication was performed in accordance
> with a *subset* of the requested policies?
I believe auth_age in the response is meant to apply to the policies
asserted in the response, rather than the ones requested. (Hinted by
David's comment[1].) The RP can then see if there's a full or partial
match, and decide if it's good enough.
On the same topic, I have suggested before and there seemed to be
agreement[1] that it's more useful if auth_age in the response is
actually a timestamp (auth_time).
Johnny
http://openid.net/pipermail/specs/2007-July/001926.html
More information about the specs
mailing list