Once more, LJ valid_to timespan.

[Troy Benjegerdes]

On Fri, Jul 01, 2005 at 02:01:07PM -0700, Brad Fitzpatrick wrote:
> On Fri, 1 Jul 2005, Carl Howells wrote:
> 
> > Once again, I'd like to bring up LJ's openid server's return valid_to.
> > It's still set only one minute in the future.  I believe that shows a
> > misunderstanding of the spec, and should be corrected.
> >
> > As I understand the spec (and others have agreed with my
> > interpretation), the valid_to date is NOT how long the user and consumer
> > have to complete the login process.  Rather, it's how long the server is
> > allowing the user to stay logged in to the consumer site.
> 
> Why?  What purpose does a valid_to saying when their consumer session
> should expire help?  What is the identity server protecting the user from?
> 
> All it's going to do is make it harder for people to merge OpenID into
> their auth/session infrastructures, and also confuse users when they're
> suddenly logged out for no reason that they can understand, or suddenly
> redirected back to a "Do you trust this site?" message because they'd only
> said "authorize once" and not "authorize always".
> 
> I see it as saying "Yo, I'm asserting that this user is Brad, but I can
> only promise you that for the next 30 seconds, after which you should
> assume this was sniffed and reused at you."
> 
> But overall I just hate the valid_to field.  I love the issued one, so
> everybody can set their own policies (especially consumers because they're
> the ones that need to keep track of duplicates), but I'm not seeing who
> valid_to is useful for.

I think the 'valid_to' lets openid servers enforce a stronger security
policy than a site might default to. For me to trust OpenID, it's got to
both be more convenient, *and* more secure than logging in to everything
directly. By making consumer sites "check-in" to the producer with valid_to,
the producer knows what's going on, and has the ability to do something
about it if something looks fishy, which in my mind, makes it much more
secure.