On Sun, 2006-10-01 at 13:08 -0700, Recordon, David wrote: > It could be augmented to also contain a response parameter telling the > RP if the IdP acknowledged it, then the RP could make the decision if > it wants to proceed.
You will want that response parameter. Otherwise, couldn't I (as the attacker who has the user's IdP cookie) just drop the auth_age parameter from the checkid request? _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs