[Technical_wg] Expiration of Client-Accounts at DENIC-Authority

Marcos Sanz sanz at denic.de
Fri May 17 12:31:34 UTC 2019

Today it looks like a good day to discuss:

In our DENIC-ID deployment, Login-Partner (aka RPs or Clients) 
registrations are open to everyone and not limited in its lifetime. We're 
over 1.4K+ registrations since launch. Unfortunately, it looks like many 
of these are test accounts and some of the registrations are even 
duplicated hundreds of times. This is not necessarily malice, it may be 
carelessness or even misinterpretation of the documentation, which 
suggests RPs should register at an Authority during the login workflow 
*only if* they haven't dealt with that Authority before.

Whatever the cause might be, we are considering to let client accounts 
expire. Since we were anyway planning to enforce client secret expiration, 
we are considering to proceed as follows:

a) Activate client secret expiration for new clients and set it to 
something like 6 months. The client registration interface will return the 
expiration time of the secret in the field client_secret_expires_at 
(seconds since Epoch). At the moment, we return the value 0 (no expire).
b) Delete clients that do not renew their secrets before their expiration.
c) Activate automatic refreshing of client secret with each client 
registration update.
d) We still should decide what to do those legacy clients with 
non-expiring credentials.

I'd love to hear your thoughs/experiences about this.


More information about the Technical_wg mailing list