Once more, LJ valid_to timespan.

meepbear * meepbear at hotmail.com
Fri Jul 1 18:49:27 PDT 2005 

>I think the 'valid_to' lets openid servers enforce a stronger security
>policy than a site might default to. For me to trust OpenID, it's got to
>both be more convenient, *and* more secure than logging in to everything
>directly. By making consumer sites "check-in" to the producer with 
>valid_to,
>the producer knows what's going on, and has the ability to do something
>about it if something looks fishy, which in my mind, makes it much more
>secure.
Unless you're running your own OpenID server, login to a consumer, wait for 
the timeout and then check to see if it played nice and contacted the server 
again, you're never going to know whether any one consumer is playing by the 
rules or not.

I would expect and want a consumer to cache my identity once it confirms it 
and never ask me for it again or recheck with the server unless it loses 
state in which case it's acceptable.
If you've ever been to a site that uses Typepad you'll know that people 
continually complain about it losing comments since the session expires 
after a set amount of time and whatever you were writing or doing at the 
time is lost and you have to login again and you can start over.

>From the security viewpoint, the worstcase scenarios are:
- someone snatches the consumer's session cookie and is able to post a 
comment on that site with your name
- someone snatches the session cookie the server uses as your credentials 
and gets access to everything

I would argue that the second is a much more critical breach than the first. 
By requiring that the consumer contacts the server over and over not only 
multiple times during a session but for each visit to that site you're 
greatly increasing the risk of the second happening.

The reason why I personally sign up for sites in order to comment is because 
I don't really care if that gets compromised, there's nothing of value there 
for anyone to do besides being able to comment with my name.

Now if I'm required to be signed in to for example livejournal.com at all 
times continuously the chances for someone to hijack my livejournal login 
session are infinitely higher then they would normally be since the only 
time I ever have to sign in there now is when I want to post or to comment 
or to read friends' entries. For everything else I'm logged out.

More information about the yadis mailing list