Once more, LJ valid_to timespan.
Carl Howells
chowells at janrain.com
Fri Jul 1 12:55:28 PDT 2005
Martin Atkins wrote:
> I think the intention of the valid_to field is to allow the ID server to
> say "I vouch that this person will be bradfitz.com for the next five
> minutes. After that, I have no idea."
>
> This has always seemed a little odd to me, but I just figured you'd set
> it to expire at the same time as the session you have. LiveJournal's
> sessions have an expiry time, so you'd just use that. I don't remember
> how the "Forever" mode is implemented, though; I'm guessing there's some
> kind of automatic session renewal going on in there.
Well, the valid_to field was introduce as a result of this message:
<http://lists.danga.com/pipermail/yadis/2005-June/000480.html>
In that email, Paul pointed out all the components of the protocol
should have explicit expiration times set. Most of it was devoted to
talking about (what became) the hmac secret, but he did mention that all
identity tokens provided should have explicit expirations as well.
The first real discussion of the expiration on the identity tokens came
here:
<http://lists.danga.com/pipermail/yadis/2005-June/000657.html>
<http://lists.danga.com/pipermail/yadis/2005-June/000659.html>
<http://lists.danga.com/pipermail/yadis/2005-June/000660.html>
<http://lists.danga.com/pipermail/yadis/2005-June/000665.html>
Basically, the point is that the protocol is more sound, from a
cryptographic point of view, if there is a point after which the
authorization the server sends shouldn't be honored anymore.
So, it looks like the entire purpose of the issued and valid_to fields
was to give the ID server some way to specify when the user's login to
the consumer should expire. If those fields aren't being used in that
manner, how is that different from not having them at all?
Carl
More information about the yadis
mailing list