[OpenID] Assertion Quality Extension => openid.importance

Justin S. Peavey jsplist-openidspecs at trashcan.org
Wed Dec 13 00:04:01 UTC 2006


Echoing Kevin's comments from October on this
(http://openid.net/pipermail/specs/2006-October/000223.html)

This model will only fly in the general case when the user or some other
non-RP agent is willing to assume all risk/liability for the transaction
the user's identity is requesting.

Barring this, I think it is reasonable to expect the RP to place some
conditions, call them suggestions if you want, that they expect will be
followed in order to increase their trust of the asserted identity.  I'm
not suggesting a change in the spec, just an acknowledgment that the RP
has some rights as well in this user-centric design and may not choose
to participate in the general model based on only an essentially
user-backed assertion .  RPs that bear risk will likely only accept
identities from IdPs or associations of IdPs that they have agreements
in place with that cover exactly how these situations will be handled.

Use case example:
RP sees activity from an identity that is anomalous to their normal
actions.  Before the RP processes a risk-bearing transaction, they want
to be sure the user is 'really there' and they didn't walk away from
their system or have their session stolen - so the RP requests that the
user be re-authenticated.  We're all familiar with this exact process
from credit card companies today when buying patterns change, they are
bearing the risk so it is reasonable to expect that they can put in
controls to mitigate that risk.

-Justin


Martin Atkins wrote:
> Paul Madsen wrote:
>   
>> Is there not a potential contradiction between an RP expressing both of 
>> 'this is very very important to me' and 'I leave it to you as to the 
>> specifics'?
>>
>>     
>
> Perhaps, but that is the case in both the "IdP reports" and the "RP 
> suggests" case: either way the IdP is calling the shots, but the "RP 
> suggests" case is more honest about who is in control.
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   





More information about the specs mailing list