Hello,
I still can not reach final decision about relation between max_auth_age
and requested policies, the more I read specification the more confused
I am.
Especially I do not know what is proper behaviour when max_auth_age is
satisfied, but auth_policies are not.
Currently our provider consideres max_auth_age has priority over
policies. If user have been logged recently (from consumer point of
view) no additional authentication is required. If this is correct
behavior, then related problem is how consumer can check this? Consumer
can not tell, whether user do not logged in or logged in with
insufficient policy - both cases end with correct auth_time and
incorrect policies.
I also consider weird behaviour that max_auth_age is optional, but if
not send, the rest of PAPE request can be ignored (cite: "If this
parameter is absent from the request, the OP should authenticate the
user at its own discretion."). In my point of view this makes it
non-optional because request has no meaning without this parameter.
Vlastik
_______________________________________________
security mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-security
