valid_from / valid_to
Brad Fitzpatrick
brad at danga.com
Wed Jun 8 13:31:46 PDT 2005
On Wed, 8 Jun 2005, Brad Fitzpatrick wrote:
> On Wed, 8 Jun 2005, Paul Crowley wrote:
>
> > Brad Fitzpatrick wrote:
> > > # openid.valid_from = UTC date
> > > # openid.valid_to = UTC date
> > >
> > > What are those in the spec?
> >
> > They define the validity period of the auth token according to the
> > server clock. The consumer should make the user re-authenticate when
> > the token expires. valid_from should be the creation date.
> >
> > http://lists.danga.com/pipermail/yadis/2005-June/000559.html
> >
> > defines how the consumer should conservatively track the server clock in
> > ordre to interpret this expiry date.
>
> I still don't get it. The "auth_token" being the sig? Or what?
BTW, I understand what your psuedocode does, but not why. What's the
attack or thing we're otherwise trying to protect/guarantee doesn't
happen?
- Brad
More information about the yadis
mailing list