[security] [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
benl at google.com
Mon Jan 22 03:55:48 PST 2007
On 1/21/07, Ben Laurie <benl at google.com> wrote:
> On 1/19/07, Dick Hardt <dick at sxip.com> wrote:
> > On 19-Jan-07, at 6:19 AM, Ben Laurie wrote:
> > >
> > > Still totally unhappy about the phishing issues, which I blogged
> > > about here:
> > >
> > > http://www.links.org/?p=187
> > There are numerous ways of solving this. Several standard methods can
> > solve it. It is a relationship between the user and the OP and the RP
> > is not party, so I don't think it belongs in the OpenID
> > Authentication specification.
> > That does not mean it is not important, just that *this* spec is not
> > the right place.
> I think that's entirely wrong. The RP doesn't care at all about the OP
> - all the RP cares about is the end user.
> More importantly, I think I have a solution that will make both of us
> happy, but I now have to go and ride my motorbike fast, so I'll detail
> it later.
OK, the idea is pretty simple. Rather like the "OpenID Authentication
Security Profiles" you have a profile where the RP states what kind of
End User/OP authentication is acceptable to it. Sites with low/zero
value attached to the login can accept any kind of EU/OP auth, whereas
high value sites can require "unphishable" auth.
Obviously some serious work is needed to flesh out this proposal, but
it seems to me it allows OpenID to stay lightweight (and phishable)
where appropriate, but also to serve a useful purpose for high-value
More information about the security