Auto logout? Request re-authentication from the server?
Martin Paljak
martin at paljak.pri.ee
Wed Jul 2 18:24:33 UTC 2008
On Jul 2, 2008, at 6:29 PM, Simon Josefsson wrote:
> Martin Paljak <martin at paljak.pri.ee> writes:
>
>> Hi Simon,
>>
>>
>> I believe expires_in from
>> http://openid.net/specs/openid-authentication-2_0.html#anchor20
>> is the thing you're interested in?
> Possibly the 'expires_in' is what I am looking for, if the 'MUST
> NOT' is
> changed into a 'SHOULD NOT' and a note is added to say that sites with
> low security needs can ignore a low expires_in value.
I think in this case we could compare to the food market: "Best
before" & "Use before".
You could eat cookies with best before 2 months over the date yet you
probably don't want to drink milk 2 days over the "use before" time.
Of course there are some people who like sour milk generally the
dates are there to lower the risk of somebody getting worms from old
meat or so.
The MUST NOT in the spec is totally right because there is no
(technical) obligation for the RP to follow this, it is a 'national
health department suggests to follow' style suggestion instead. You
can eat raw fish which is veeery old and sour (Surströmming? ;)) but
generally you don't want to do it.
> Maybe I should write a PAPE authentication profile for this. I'm
> trying
> to find out if this is something people feel is generally useful,
> though, which could argue for including it in the standard.
It would be best to keep the timing tuning variables to the minimum to
keep the spec understandable and not too complex.
--
Martin Paljak
http://martin.paljak.pri.ee
GSM: +3725156495
More information about the specs
mailing list