valid_from / valid_to

Brad Fitzpatrick brad at danga.com
Wed Jun 8 13:31:46 PDT 2005


On Wed, 8 Jun 2005, Brad Fitzpatrick wrote:

> On Wed, 8 Jun 2005, Paul Crowley wrote:
>
> > Brad Fitzpatrick wrote:
> > > # openid.valid_from = UTC date
> > > # openid.valid_to = UTC date
> > >
> > > What are those in the spec?
> >
> > They define the validity period of the auth token according to the
> > server clock.  The consumer should make the user re-authenticate when
> > the token expires.  valid_from should be the creation date.
> >
> > http://lists.danga.com/pipermail/yadis/2005-June/000559.html
> >
> > defines how the consumer should conservatively track the server clock in
> > ordre to interpret this expiry date.
>
> I still don't get it.  The "auth_token" being the sig?  Or what?

BTW, I understand what your psuedocode does, but not why.  What's the
attack or thing we're otherwise trying to protect/guarantee doesn't
happen?

- Brad


More information about the yadis mailing list