Once more, LJ valid_to timespan.

Carl Howells chowells at janrain.com
Fri Jul 1 12:55:28 PDT 2005

Martin Atkins wrote:
> I think the intention of the valid_to field is to allow the ID server to 
> say "I vouch that this person will be bradfitz.com for the next five 
> minutes. After that, I have no idea."
> This has always seemed a little odd to me, but I just figured you'd set 
> it to expire at the same time as the session you have. LiveJournal's 
> sessions have an expiry time, so you'd just use that. I don't remember 
> how the "Forever" mode is implemented, though; I'm guessing there's some 
> kind of automatic session renewal going on in there.

Well, the valid_to field was introduce as a result of this message:

In that email, Paul pointed out all the components of the protocol 
should have explicit expiration times set.  Most of it was devoted to 
talking about (what became) the hmac secret, but he did mention that all 
identity tokens provided should have explicit expirations as well.

The first real discussion of the expiration on the identity tokens came 


Basically, the point is that the protocol is more sound, from a 
cryptographic point of view, if there is a point after which the 
authorization the server sends shouldn't be honored anymore.

So, it looks like the entire purpose of the issued and valid_to fields 
was to give the ID server some way to specify when the user's login to 
the consumer should expire.  If those fields aren't being used in that 
manner, how is that different from not having them at all?


More information about the yadis mailing list