PAPE Extension Specification (part 2)
Jonathan Daugherty
cygnus at janrain.com
Tue Oct 9 17:08:48 UTC 2007
Hi all,
Here are a few more items.
Section 5.1
- The spec doesn't specify what should be done in the absence of
max_auth_age in a PAPE request. I could assume, but it would be
easy enough to specify, say, that the OP is to authenticate the
user at its own discretion.
- In my opinion, the third paragraph for max_auth_age (beginning
"The OP should realize") is implicit. I think it should be
removed.
- The preferred_auth_policies specification claims, "If multiple
policies are requested, the OP SHALL try to satisfy as many as it
can." In terms of language strength, "SHALL try" is an oxymoron.
Can we change this to "If multiple policies are requested, the OP
SHOULD satisfy as many as possible"?
- The preferred_auth_policies specification also states that "If no
policies are requested, the RP is interested in other information
such as the authentication age." I think that is speculative and
should be removed. If it isn't removed, I think it should be
moved to a section discussing the protocol flow more generally.
Thanks,
--
Jonathan Daugherty
JanRain, Inc.
irc.freenode.net: cygnus in #openid
cygnus.myopenid.com
More information about the specs
mailing list