[OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
josh at janrain.com
Mon Jan 22 18:03:47 UTC 2007
On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > Security Profiles" you have a profile where the RP states what kind of
> > > End User/OP authentication is acceptable to it. Sites with low/zero
> > > value attached to the login can accept any kind of EU/OP auth, whereas
> > > high value sites can require "unphishable" auth.
> > I like the sound of this proposal, but I don't see how the RP could
> > know whether the OP is actually using "unphishable" authentication
> > when that kind of authentication is requested. Is it necessary for the
> > RP to be able to tell for sure, and if so, how could it tell?
> No, I don't think it is necessary. If users want to trust their
> identity to OPs that lie, that's their decision.
In that case, I think this could just be part of the "Assertion
Quality Extension."  I haven't been involved in that specification
at all, but my understanding is that it provides a way of expressing
what kind of authentication the RP would like to have when a request
is made to the OP.
More information about the general