On 4-Oct-07, at 2:45 PM, Jonathan Daugherty wrote: > - The description for max_auth_age mentions "active" vs. "indirect" > user authentication, but the spec defines neither. I had to read > 5.1 and 5.2 a few times to figure out precisely what they meant. > Since the distinction is important, I think it would benefit from > some clarification. I'm not sure what the best wording would be.
+1 on clarifying what "active" means. Before getting to wording, I'm not totally sure what would be considered active authentication and what wouldn't. > - For max_auth_age, what does "in a manner fitting the requested > policies" mean 1) in the case where no policies were requested and > 2) in the case where authentication was performed in accordance > with a *subset* of the requested policies? I believe auth_age in the response is meant to apply to the policies asserted in the response, rather than the ones requested. (Hinted by David's comment[1].) The RP can then see if there's a full or partial match, and decide if it's good enough. On the same topic, I have suggested before and there seemed to be agreement[1] that it's more useful if auth_age in the response is actually a timestamp (auth_time). Johnny http://openid.net/pipermail/specs/2007-July/001926.html _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
