Once more, LJ valid_to timespan.

[Brad Fitzpatrick]

On Fri, 1 Jul 2005, Carl Howells wrote:

> Once again, I'd like to bring up LJ's openid server's return valid_to.
> It's still set only one minute in the future.  I believe that shows a
> misunderstanding of the spec, and should be corrected.
>
> As I understand the spec (and others have agreed with my
> interpretation), the valid_to date is NOT how long the user and consumer
> have to complete the login process.  Rather, it's how long the server is
> allowing the user to stay logged in to the consumer site.

Why?  What purpose does a valid_to saying when their consumer session
should expire help?  What is the identity server protecting the user from?

All it's going to do is make it harder for people to merge OpenID into
their auth/session infrastructures, and also confuse users when they're
suddenly logged out for no reason that they can understand, or suddenly
redirected back to a "Do you trust this site?" message because they'd only
said "authorize once" and not "authorize always".

I see it as saying "Yo, I'm asserting that this user is Brad, but I can
only promise you that for the next 30 seconds, after which you should
assume this was sniffed and reused at you."

But overall I just hate the valid_to field.  I love the issued one, so
everybody can set their own policies (especially consumers because they're
the ones that need to keep track of duplicates), but I'm not seeing who
valid_to is useful for.

- Brad