Once more, LJ valid_to timespan.
Troy Benjegerdes
hozer at hozed.org
Fri Jul 1 18:06:54 PDT 2005
On Fri, Jul 01, 2005 at 02:01:07PM -0700, Brad Fitzpatrick wrote:
> On Fri, 1 Jul 2005, Carl Howells wrote:
>
> > Once again, I'd like to bring up LJ's openid server's return valid_to.
> > It's still set only one minute in the future. I believe that shows a
> > misunderstanding of the spec, and should be corrected.
> >
> > As I understand the spec (and others have agreed with my
> > interpretation), the valid_to date is NOT how long the user and consumer
> > have to complete the login process. Rather, it's how long the server is
> > allowing the user to stay logged in to the consumer site.
>
> Why? What purpose does a valid_to saying when their consumer session
> should expire help? What is the identity server protecting the user from?
>
> All it's going to do is make it harder for people to merge OpenID into
> their auth/session infrastructures, and also confuse users when they're
> suddenly logged out for no reason that they can understand, or suddenly
> redirected back to a "Do you trust this site?" message because they'd only
> said "authorize once" and not "authorize always".
>
> I see it as saying "Yo, I'm asserting that this user is Brad, but I can
> only promise you that for the next 30 seconds, after which you should
> assume this was sniffed and reused at you."
>
> But overall I just hate the valid_to field. I love the issued one, so
> everybody can set their own policies (especially consumers because they're
> the ones that need to keep track of duplicates), but I'm not seeing who
> valid_to is useful for.
I think the 'valid_to' lets openid servers enforce a stronger security
policy than a site might default to. For me to trust OpenID, it's got to
both be more convenient, *and* more secure than logging in to everything
directly. By making consumer sites "check-in" to the producer with valid_to,
the producer knows what's going on, and has the ability to do something
about it if something looks fishy, which in my mind, makes it much more
secure.
More information about the yadis
mailing list