"Hans Granqvist" <[EMAIL PROTECTED]> writes: > 'expires_in' relates to the length of the RP->OP assoc, not the > length of the EU->RP session.
Good point. I couldn't see the forest for the trees. > I don't think that param is usable for you, unless I completely > misunderstand what you're trying to achieve, which I think > is that the end-user has to occasionally re-authenticate? Right. This param doesn't solve my use-case. Thanks, /Simon > > Hans > > On Wed, Jul 2, 2008 at 10:29 AM, Simon Josefsson <[EMAIL PROTECTED]> wrote: >> Martin Paljak <[EMAIL PROTECTED]> writes: >> >>> Hi Simon, >>> >>> >>> I believe expires_in from >>> http://openid.net/specs/openid-authentication-2_0.html#anchor20 >>> is the thing you're interested in? >> >> Hi Martin. Ah, thanks for the pointer, I wasn't aware of that >> parameter. >> >> It isn't _exactly_ what I'm looking for -- I don't want to _force_ the >> RP to re-authenticate. I want to let the RP know that by >> re-authentication frequently, it can improve security. This matches how >> all one-time-password systems operate. >> >> Some RP's may be less security sensitive, and then it does not matter if >> it continues without re-authentication. However, some RPs may want to >> take advantage of re-authentication if it is useful. >> >> Possibly the 'expires_in' is what I am looking for, if the 'MUST NOT' is >> changed into a 'SHOULD NOT' and a note is added to say that sites with >> low security needs can ignore a low expires_in value. >> >> Maybe I should write a PAPE authentication profile for this. I'm trying >> to find out if this is something people feel is generally useful, >> though, which could argue for including it in the standard. >> >> /Simon >> _______________________________________________ >> specs mailing list >> specs@openid.net >> http://openid.net/mailman/listinfo/specs >> _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs