[OpenID] OpenID Assertion Quality Extension - Draft

Paul Madsen paulmadsen at rogers.com
Thu Nov 30 19:33:55 UTC 2006


Hi George, for your use case below, why would not the RP just ask for 
the user to be up-authenticated at the desired higher level when necessary?

Are you asking whether the RP should be allowed to ask the user to 
re-present their URI in order for this to happen? And thereby 
effectively treating each event as disconnected/standalone?

Wrt combinations, I know from experience that the alternative to 
allowing for RPs to specify combinations is a combinatorial explosion in 
the number of  mechanism identifiers.

Paul

George Fletcher wrote:
> +1 simple and straight forward
>
> Just curious about uses cases where the required authentication level 
> changes over time.  For instance, a use case where to view my stock 
> portfolio just requires "password", but doing a trade requires 
> "voicebio".  Is the expectation that authentication events can be 
> treated as "standalone"? or that it's the RP's responsibility to manage 
> the combinations based on the identifier?
>
> One final question... Is it valuable to provide a way to request two or 
> more authentication methods be employed in the authentication event?  
> For example, administrators of a site must use both "password" and 
> "hardotp".  Everyone else just needs "password".
>
> Thanks,
> George
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-302-1428
                        aim:PaulMdsn5
                        web:connectid.blogspot.com 




More information about the specs mailing list