Once more, LJ valid_to timespan.

[Grant Monroe]

On 7/6/05, Brad Fitzpatrick <brad at danga.com> wrote:
>
> I've also been out of town until tonight.
> 
> I'd love to start this conversation back up.
> 

If I am understanding things correctly, livejournal is only looking at
the valid_to field in the check_authentication step for dumb clients.
The openid.valid_to timestamp is created by the server along with the
openid.issued timestamp. Shouldn't the server just be able to look at
the issued field and decide whether it has been too long?

The other interpretation of this field seems to be some sort of
advisory timestamp that the server sends to a consumer for when the
user needs to reauthenticate. In this case, I'm guessing most
consumers are just going to ignore this value and do whatever they
normally do for user sessions.

I don't think that either of these cases has much merit, and my vote
is to remove it from the spec.