<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Nat you are referring to the assertion lifetimes for a enterprise LAN environment.<div><br></div><div>For a environment where the RP is not part of the same domain as the IdP.</div><div>Level 1: 5min</div><div>Level 2: 5min</div><div>Level 3: 5min</div><div>Level 4: MUST NOT use bearer tokens. (Rules out openID)</div><div><br></div><div>The Nonce contains a time stamp that should be used for this. </div><div>Clock synchronization can become an issue with times this small. NNTP please.</div><div><br></div><div>We could add a TTL to the assertion however it may be as easy to say that OP keep private assertions for a minimum of 5 min.</div><div><br></div><div>Andrew's app should refresh any unsolicited positive assertions older than 5 min.</div><div><br></div><div>It is interesting that JS can cache assertions like this.</div><div><br></div><div>It perhaps also points out the possibility of people using this technique for cross site scripting to sites that a user thinks they are logged out of.</div><div><br></div><div>John B. </div><div><div><div>On 2009-10-26, at 3:40 AM, Nat Sakimura wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div bgcolor="#ffffff" text="#000000">
I fully agree on this. <br>
<br>
It is required not only from AJAX scenario, but also from Assurance
Level discussions. <br>
<br>
For example, in SP800-63rev.1, Level 1 assertion must expire in 12
hours, Level 3 assertion in 30 min, <br>
and in IDABC Authentication Policy, <br>
<br>
Level 1: 24 hours, <br>
Level 2: 12 hours<br>
Level 3: 2 hours<br>
Level 4: Immediate (whatever it means...)<br>
<br>
Regards, <br>
<br>
=nat<br>
<br>
Andrew Arnott wrote:
<blockquote cite="mid:216e54900910251704w5734d20au26d559765004ff2c@mail.gmail.com" type="cite">With the recent OpenID AJAX work I've been doing (<a moz-do-not-send="true" href="http://samples.dotnetopenauth.net/v3.2/openidrelyingpartywebforms/ajaxlogin.aspx">blog
commenting</a> and <a moz-do-not-send="true" href="http://openidux.dotnetopenauth.net/">popup login</a>) I've run
across a problem that while small now, may grow as OpenID popularity
increases and AJAX use becomes more mainstream.
<div><br>
</div>
<div>When an OP sends a positive assertion signed with a private
association, the RP currently has no idea how long this assertion is
valid. The OP has their own policy regarding how long before it
expires the assertion based on the response_nonce' timestamp. Some OPs
may reason "well, it should only take a few seconds for an RP to get
back to us to verify this, so any nonce more than 30 seconds old is
expired" in order to keep the used nonce bin from filling up too fast. </div>
<div><br>
</div>
<div>Here's the problem: at least with my own AJAX designs, the
positive assertion the user agent obtains from the OP is <i>not</i> forwarded
immediately to the RP. Several assertions are gathered, and the user
picks which one to log into the RP with, and to help protect the user's
privacy, it's not ideal to send all assertions to the RP or else it's
easy for the RP to tie several identities together without the user's
consent.<i> </i> If the login screen is left open for several minutes,
these assertions can get stale. Particularly in the blog commenting
scenario where the user my acquire the positive assertion before
writing his blog comment and thereby could wait 15 minutes or more
before posting his comment.</div>
<div><br>
</div>
<div>So far, I'm mitigating this at the RP by choosing a "reasonable"
maximum lifetime for the assertion and the javascript automatically
renews the positive assertion after the assertion is assumed to have
expired. But since this guess at the assertion's lifetime is not
correct for an arbitrary OP, it would be great if with the positive
assertion signed with a private association the OP could indicate with
another parameter how long the assertion is valid for so the RP
javascript code can renew at the optimal interval.</div>
<div><br>
</div>
<div>What do you think?<br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre<br>
</div>
<pre wrap=""><hr class="__postbox_mime_separator" size="4" width="90%">
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs<br></blockquote></div><br></div></body></html>