[Openid-specs-ab] acr values

Tim Bray tbray at textuality.com
Mon Aug 12 20:54:18 UTC 2013


I don’t know.  We are hearing strong demands from potential users of our
IDP services for some metric of auth strength.  They tend to have very
specific demands.  We’re not convinced that something as simple as “Did
they use 2-factor?” is going to do the trick and there’s a lot of
interesting work going on in this space.  So what I’m concerned with is
that when new strength metrics arise, OIDC won’t get in the way of the RP
asking for particular values, nor of the OP describing its view of
strength.   -T

On Mon, Aug 12, 2013 at 1:49 PM, Anthony Nadalin <tonynad at microsoft.com>wrote:

>  In some cases the RP may not understand all what the IdP is saying, like
> state of the session, the RP may not deal or care with session state, may
> only deal with authentication strength and relies on short lived tokens for
> enforcing sessions, so what would you expect the RP to do with the combined
> URI in your example?****
>
> ** **
>
> *From:* Tim Bray [mailto:tbray at textuality.com]
> *Sent:* Monday, August 12, 2013 1:46 PM
> *To:* Anthony Nadalin
> *Cc:* <openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] acr values****
>
> ** **
>
> An RP. ****
>
> ** **
>
> On Mon, Aug 12, 2013 at 1:30 PM, Anthony Nadalin <tonynad at microsoft.com>
> wrote:****
>
>  Who do you want to say something about the “session strength” to? ****
>
>  ****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Tim Bray
> *Sent:* Monday, August 12, 2013 1:05 PM
> *To:* <openid-specs-ab at lists.openid.net>
> *Subject:* [Openid-specs-ab] acr values****
>
>  ****
>
> In our IDP role, we’re coming under a lot of pressure to say something
> about “session strength” and maybe in some circumstances force re-auth and
> so on.  There are a lot of different vocabularies in play that you could
> use to talk about this stuff, including NIST and ISO publications; and the
> work of the Fido alliance is maybe interesting.  So I expect a lot of churn
> in this space, and OIDC needs to allow sufficient elbow room.****
>
> So, the purpose of this note is to confirm my understandings, based on
> looking at the OIDC Messages draft.  Do people agree with these?****
>
> - It’s perfectly OK to provide any old URI we dream up as a value for the
> “acr” claim.****
>
> - There may be awkwardness around multiple values; suppose I wanted to
> assert, for example, that the session is less than ten minutes old AND
> two-factor authent was used.    All I can think of is composing a URI along
> the lines of urn:google-auth-claims?max-age=10&two-factor=true; which is a
> little kludgy but I guess OK.  Awkward, though, in the case where there’s a
> Fido vocabulary for 2-factor-flavor and someone else’s vocabulary for
> session-freshness.****
>
>  ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130812/2af93519/attachment.html>


More information about the Openid-specs-ab mailing list