What happened to all the concern about openid.auth_age (in early October)? I echo Kevin Turner's worry that “features like this will mislead the RP developers into thinking they have more control over the authentication protocol than they really do… when OpenID actually leaves all those controls in the hands of the user and their chosen IdP”. [http://openid.net/pipermail/specs/2006-October/000223.html]
Dick Hardt’s Amazon.com use case makes sense: amazon.com may be quite happy to use an arbitrarily old authentication to personalise your browsing, but when you go to purchase something they want to make sure it is still you (and prompt you for your password). The user-centric solution is not for the RP to specify a max auth age (or captcha or email verification or handbio or hardotp…), but for the RP to indicate the importance of the authentication. The user (with a little help from their OP) decides how to react (eg whether or not to login again) based on the importance/RP/auth-age/…. Spec changes: specify an openid.importance attribute to be included in an authentication request and echoed in the response; define some standard values (eg “low”, “medium”, “high”, “session”, “transaction”, “money”, “privacy”, “corporate”, “reputation”…); encourage OPs to allow users to control how & when to reauthenticate based on the importance and RP. Surely the Assertion Quality Extension (AQE) will just encourage RP to only support a small number of OPs that the RP can trust to enforce the RP’s rules. James Manger _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
