[OpenID] Trust + Security @ OpenID

John Panzer jpanzeracm at johnpanzer.com
Mon Jul 9 02:57:01 UTC 2007


Peter Williams wrote:
>...
> The 2 questions folks are repeatedly asking are:-
>  
> 1. should there be varying grades of protection for the delivery of the proof statement ("assurance levels")
>  
> 2. should there be varying grades of proof offered ("denoting the 'strength' of user auth/control")
>  
>  
> 1 seems already answered. OpenID2.0 designs already decide to offer to cryptographic strength options for the mac'ing process: SHA, and SHA-256. OpenID2.0 also now recommends direct mode communciation of association-setup, also, avoiding the need to evaulate whether the user's browser is trustworthy - when redirecting the message flow over two back-back https channels.
>  
> 2 seems to be "in proposal"
>  
> What is missing is the ability for the RP within the same protocol session to reject the assertion, claiming proof strength X, sending it back requiring: "Y or better".

I was wondering today whether the ability to have multiple OPs in a 
YADIS discovery document (for failover) could be leveraged; if each one 
had a "declared strength" an RP could select the first one that is "Y or 
better".  Of course it would then have to actually meet the "Y or 
better" criteria and the RP needs assurance that it's telling the truth, 
but if those fail perhaps the RP is better off telling the user they 
need to go talk to their OP.

-John





More information about the general mailing list