Martin Paljak <[EMAIL PROTECTED]> writes: > Hi Simon, > > > I believe expires_in from > http://openid.net/specs/openid-authentication-2_0.html#anchor20 > is the thing you're interested in?
Hi Martin. Ah, thanks for the pointer, I wasn't aware of that parameter. It isn't _exactly_ what I'm looking for -- I don't want to _force_ the RP to re-authenticate. I want to let the RP know that by re-authentication frequently, it can improve security. This matches how all one-time-password systems operate. Some RP's may be less security sensitive, and then it does not matter if it continues without re-authentication. However, some RPs may want to take advantage of re-authentication if it is useful. Possibly the 'expires_in' is what I am looking for, if the 'MUST NOT' is changed into a 'SHOULD NOT' and a note is added to say that sites with low security needs can ignore a low expires_in value. Maybe I should write a PAPE authentication profile for this. I'm trying to find out if this is something people feel is generally useful, though, which could argue for including it in the standard. /Simon _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs