[OpenID] Trust + Security @ OpenID

Recordon, David drecordon at verisign.com
Mon Jul 9 02:36:44 UTC 2007


Hey John,
That was defiantly part of the thinking behind both AQE and PAPE.  If
the RP could discover meta-data about the Provider, assuming it trusted
it, then it could make a better decision as to which Provider to send
the user to.  Neither of the specs deals with should the RP trust the
Provider's claims around strength, etc.  I would envision that coming
from some sort of trusted third party which specializes in OpenID
Providers.

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of John Panzer
Sent: Sunday, July 08, 2007 7:57 PM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] Trust + Security @ OpenID

Peter Williams wrote:
>...
> The 2 questions folks are repeatedly asking are:-
>  
> 1. should there be varying grades of protection for the delivery of
the proof statement ("assurance levels")
>  
> 2. should there be varying grades of proof offered ("denoting the
'strength' of user auth/control")
>  
>  
> 1 seems already answered. OpenID2.0 designs already decide to offer to
cryptographic strength options for the mac'ing process: SHA, and
SHA-256. OpenID2.0 also now recommends direct mode communciation of
association-setup, also, avoiding the need to evaulate whether the
user's browser is trustworthy - when redirecting the message flow over
two back-back https channels.
>  
> 2 seems to be "in proposal"
>  
> What is missing is the ability for the RP within the same protocol
session to reject the assertion, claiming proof strength X, sending it
back requiring: "Y or better".

I was wondering today whether the ability to have multiple OPs in a 
YADIS discovery document (for failover) could be leveraged; if each one 
had a "declared strength" an RP could select the first one that is "Y or

better".  Of course it would then have to actually meet the "Y or 
better" criteria and the RP needs assurance that it's telling the truth,

but if those fail perhaps the RP is better off telling the user they 
need to go talk to their OP.

-John


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general



More information about the general mailing list