[OpenID] Assertion Quality Extension => openid.importance
Paul Madsen
paulmadsen at rogers.com
Tue Dec 12 20:55:55 UTC 2006
Is there not a potential contradiction between an RP expressing both of
'this is very very important to me' and 'I leave it to you as to the
specifics'?
If the RP authenticated the user locally and not through OpenID, and the
resources it was protecting were of any value or sensitivity, it would
surely have this sort of policy over what was an acceptable mechanism.
Does participating in OpenID mean the RP giving up this policy control?
How many such RPs will be willing to pay this price?
Fundamentally, I don't see how acknowledging that the RP may have
certain expectations of the authentication event is somehow in conflict
with user-centrism.
Regards
paul
Martin Atkins wrote:
> Manger, James H wrote:
>
>> The user-centric solution is not for the RP to specify a max auth age (or captcha or email verification or handbio or hardotp…), but for the RP to indicate the importance of the authentication. The user (with a little help from their OP) decides how to react (eg whether or not to login again) based on the importance/RP/auth-age/….
>>
>>
>
> I like this approach a lot more. It seems a lot more honest as to what's
> really going on, and it leaves protecting the task of user's interests
> in the IdP's hands where it belongs.
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.409 / Virus Database: 268.15.15/581 - Release Date: 12/9/2006
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the specs
mailing list