Once more, LJ valid_to timespan.

Brad Fitzpatrick brad at danga.com
Thu Jul 7 11:18:53 PDT 2005

On Thu, 7 Jul 2005, Grant Monroe wrote:

> On 7/6/05, Brad Fitzpatrick <brad at danga.com> wrote:
> >
> > I've also been out of town until tonight.
> >
> > I'd love to start this conversation back up.
> >
> If I am understanding things correctly, livejournal is only looking at
> the valid_to field in the check_authentication step for dumb clients.
> The openid.valid_to timestamp is created by the server along with the
> openid.issued timestamp. Shouldn't the server just be able to look at
> the issued field and decide whether it has been too long?
> The other interpretation of this field seems to be some sort of
> advisory timestamp that the server sends to a consumer for when the
> user needs to reauthenticate. In this case, I'm guessing most
> consumers are just going to ignore this value and do whatever they
> normally do for user sessions.
> I don't think that either of these cases has much merit, and my vote
> is to remove it from the spec.

That's my thinking too.  Keep issued, but ditch valid_to.
check_authentication would then change to "is_valid" or something.

I think a "session & sign-off extension" could be added later, but OpenID
as it is should remain a one-time assertion protocol.

- Brad

More information about the yadis mailing list