[specs-pape] Proposed PAPE Addendum for Authentication Mechanisms (PAPE-AM)

Mike Jones Michael.Jones at microsoft.com
Mon Sep 29 13:55:28 PDT 2008

Hi Siddharth,

I hate to disappoint you and those who have worked on this draft, but both as the PAPE working group was chartered and as per the subsequent discussions on the working group list, any specification of specific authentication mechanisms is explicitly out of scope for PAPE.  The approved charter includes the language:
                (iii)  Scope:  ...  Adding any support for communicating requests for or the use of specific authentication methods (as opposed to authentication policies) is explicitly out of scope.

My September 22nd response on the working group list to Tatsuki Sakushima gave some of the reasons for this:

One of the core compromises that enabled the development of PAPE in the first place is that it is a vocabulary for communicating *only* authentication policies -- not specific authentication mechanisms.  (In fact, the second "P" in PAPE stands for "Policy".)  The participants agreed that if people wanted to communicate specific methods ("I used a password", "I used a password with a software OTP", "I used a client-side certificate not in the trusted root certificate store", "I used a visual secret", ...) that a different specification should be produced to do that.  If someone does that in another working group that's fine by me, but that work is explicitly out of scope for the PAPE working group.

I'm sorry if the PAPE scope wasn't clear to those of you who produced this document or if you were unaware of it.  But I'd rather be clear with you at this point than to have you believe that we can entertain this proposal within the PAPE working group.  We are explicitly prohibited from doing so.

I *would* support you creating a different OpenID Working group to create a Provider Authentication Mechanism Extension (PAME) specification.  (In fact, I'd probably join it.)  As per the discussions that led to the creation of PAPE drafts 1 and 2, then we can let the market decide, which is a good thing.  If people believe that knowing the policies used is sufficient, the PAPE spec will be used.  If people want to know specific mechanisms and a spec is created to communicate them, then that will be used.  It should also be possible to use them in combination.

Feel free to call my mobile phone (425) 985-8916 if you'd like to discuss this further.

                                                                Best wishes,
                                                                -- Mike

From: specs-pape-bounces at openid.net [mailto:specs-pape-bounces at openid.net] On Behalf Of Bajaj, Siddharth
Sent: Monday, September 29, 2008 12:46 PM
To: specs-pape at openid.net
Cc: Brian Kelly; taylor.venable at trustbearer.com
Subject: [specs-pape] Proposed PAPE Addendum for Authentication Mechanisms (PAPE-AM)

To the PAPE Working Group:

Please find a draft called 'Provider Authentication Policy Extension - Authentication Mechansims (PAPE-AM)'. This addendum is intended to extend the policies supported by the existing PAPE specification. PAPE-AM enables OpenID providers to provide more granular policies and information to the Relying Parties.

For example, Relying Parties will be able to request that the end user authenticate to the OpenID Provider using certain forms of credentials such as a digital certificate on smart card issued by a particular organization, an OTP token, or that OpenID users be authenticated to the provider under other certain specific security-related conditions.

Specifically, this addendum currently covers four areas which relate to the assurance of an authentication against the OpenID provider. Three of these areas govern the actual authentication process and method: PKI, OTP, and password. An additional category governs the channel security used in the connection which established the authenticated session.

The authors have deliberated on each of the attributes below and have tried to keep a sensible balance between simplicity and functionality. They identify some use cases where such granular control would be beneficial to the Relying Parties.

The authors want to submit this work to the PAPE WG for consideration to be included in the PAPE specification or as appropriate.

Thank you for your consideration,

Taylor Venable, Brian Kelly, Mingliang Pei, Siddharth Bajaj & Daniel Perry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs-pape/attachments/20080929/e4f236e8/attachment.htm 

More information about the specs-pape mailing list