On 30-Jun-09, at 11:11 PM, Nate Klingenstein wrote:
Dick,
I am suggesting changing the spec for the privacy reasons you
stated. The RP does not need to know when the last auth was, just
that it met the RP's policy.
How can this be done if the request isn't signed? Can't a user
presenting the request change the max_auth_age to whatever it wants,
or omit it entirely? "Yes, I met your requirement" doesn't mean
much if the requirement itself can be trivially changed by the
client and the RP has no indication this occurred.
My suggestion was that max_auth_age was also in the response, which is
signed, so that the RP knows what the OP said it did.
-- Dick
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
