Killing time
Paul Crowley
paul at ciphergoth.org
Fri Jul 8 14:55:48 PDT 2005
Just spoken to Brad about valid_to and other details of the protocol,
and we've agreed that we should probably take out references to time in
the token. This is because consumers, by and large, can't honour
valid_to and there's no point pretending they can. Consumers will have
their own ideas about what limits they can put on your authentication
(eg "bind to IP address" or "until browser closes" or even "just this
once) and since you can't make them honour whatever limits the server
sets anyway, you might as well leave the limiting entirely to them.
In short, tokens should no longer contain openid.issued or
openid.valid_to; replies to dumb mode requests will have an "is_valid"
field instead of a "lifetime".
The authentication handle stuff will have lifespans just as before.
(Brad, we didn't discuss this but it seems sensible, no?)
To address freshness concerns, we're recommending that consumers put
hard-to-forge tokens in their return_to URL - eg the time, plus some MAC
of the time - and check them on return. Then you can be sure that the
auth token was generated after you generated that return_to URL.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list