[PROPOSAL] authentication age

Dick Hardt dick at sxip.com
Mon Oct 2 16:33:29 UTC 2006


On 2-Oct-06, at 2:48 AM, Martin Atkins wrote:

> Recordon, David wrote:
>> That was going to be my exact follow-up to my own message, though got
>> distracted.  What I phrased was how Dick described it.
>>
>> I like the feature, though agree that many IdPs may be unable to
>> implement it due to how they do session handling.  It could be  
>> augmented
>> to also contain a response parameter telling the RP if the IdP
>> acknowledged it, then the RP could make the decision if it wants  
>> to proceed.
>>
>
> But again, IdPs will just send it whether they did it or not, because
> it's like a "make it work" flag; people will quickly forget/dismiss  
> what
> it really means and set it just to make their IdP work.
>
> Unless you've got some way to *prove* that you did it (I can't  
> think of
> one) there's no point.
>
> This also ignores the fact that not all "IdPs" are going to use  
> sessions
> and passwords. One could potentially make one that acts on a presented
> certificate, for example. Or one which just returns "Yes" to  
> everything
> as an anonymising tool.

OpenID, like many other protocols, places trust on the IdP that it  
will operate per the protocol.
The user takes responsibility for choosing an IdP that they trust to  
operate appropriately.

eg: There is nothing that stops an IdP from *proving* a particular  
URL belongs to a particular user.

Currently I have blame.ca pointing to dick.hardt.myopenid.com, the  
myopenid.com server could state any user at myopenid.com owns  
blame.ca, but I trust myopenid.com to not do that. There is no way to  
*prove* it is me using the URL.

-- Dick





More information about the specs mailing list