[OpenID] OpenID Assertion Quality Extension - Draft
Paul Madsen
paulmadsen at rogers.com
Thu Nov 30 19:33:55 UTC 2006
Hi George, for your use case below, why would not the RP just ask for
the user to be up-authenticated at the desired higher level when necessary?
Are you asking whether the RP should be allowed to ask the user to
re-present their URI in order for this to happen? And thereby
effectively treating each event as disconnected/standalone?
Wrt combinations, I know from experience that the alternative to
allowing for RPs to specify combinations is a combinatorial explosion in
the number of mechanism identifiers.
Paul
George Fletcher wrote:
> +1 simple and straight forward
>
> Just curious about uses cases where the required authentication level
> changes over time. For instance, a use case where to view my stock
> portfolio just requires "password", but doing a trade requires
> "voicebio". Is the expectation that authentication events can be
> treated as "standalone"? or that it's the RP's responsibility to manage
> the combinations based on the identifier?
>
> One final question... Is it valuable to provide a way to request two or
> more authentication methods be employed in the authentication event?
> For example, administrators of a site must use both "password" and
> "hardotp". Everyone else just needs "password".
>
> Thanks,
> George
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the specs
mailing list