<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [PROPOSAL] authentication age</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>No, IdP MUST perform and RP MAY include.<BR>
<BR>
--David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Dick Hardt [<A HREF="mailto:dick@sxip.com">mailto:dick@sxip.com</A>]<BR>
Sent: Sun 10/1/2006 7:52 AM<BR>
To: Recordon, David<BR>
Cc: specs@openid.net<BR>
Subject: Re: [PROPOSAL] authentication age<BR>
<BR>
Better wording, thanks.<BR>
<BR>
I was thinking the IdP MUST perform per the parameter. The RP MAY <BR>
include it, so it is an optional parameter in the request.<BR>
<BR>
Are you suggesting the RP MUST include it?<BR>
<BR>
-- Dick<BR>
<BR>
On 1-Oct-06, at 3:33 AM, Recordon, David wrote:<BR>
<BR>
> I like this, though think minutes would be granular enough. Just <BR>
> to clarify, since it took me reading it a few times...<BR>
><BR>
> Add an optional request parameter openid.auth_age which is a <BR>
> positive integer. This parameter allows the relying party to <BR>
> request that if the identity provider has not renewed the session <BR>
> with the user in the past X minutes, that it do so at this time. <BR>
> If left out of the request, it is assumed that a session of any age <BR>
> is acceptable for the transaction. If 0, the RP is requesting <BR>
> authentication be done on this request no matter the age of the <BR>
> session.<BR>
><BR>
> Assuming this be added, it would have to be a MUST in the spec to <BR>
> be useful.<BR>
><BR>
> --David<BR>
><BR>
><BR>
> -----Original Message-----<BR>
> From: specs-bounces@openid.net on behalf of Dick Hardt<BR>
> Sent: Sat 9/30/2006 5:04 PM<BR>
> To: specs@openid.net<BR>
> Subject: [PROPOSAL] authentication age<BR>
><BR>
> Motivating Use Case:<BR>
> ----------------------------<BR>
><BR>
> Different RPs will require different amounts of certainty about the<BR>
> user, and at times will have different requirements depending on what<BR>
> the user is doing. Eg. from existing web applications today. There is<BR>
> little concern when the user is getting personalized pages and a<BR>
> relatively old cookie may be adequate but the app will require the<BR>
> user to provide their password when changing their settings.<BR>
><BR>
> Proposed Implementation<BR>
> -----------------------------------<BR>
><BR>
> New, optional parameter in the request, "openid.auth_age" where the<BR>
> value is the number of seconds (minutes?) since the user last<BR>
> provided credentials. If the it has been longer since then that the<BR>
> IdP authenticated the user, then the IdP MUST authenticate the user<BR>
> again. A value of zero (0) means that the IdP MUST prompt the user<BR>
> for credentials.<BR>
><BR>
> Issues<BR>
> --------<BR>
> There is no way to force an IdP to authenticate the user, but a<BR>
> "good" IdP implementation will follow the requests of the RP<BR>
><BR>
> _______________________________________________<BR>
> specs mailing list<BR>
> specs@openid.net<BR>
> <A HREF="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</A><BR>
><BR>
><BR>
><BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>