[PROPOSAL] authentication age

Chris Drake christopher at pobox.com
Thu Oct 5 03:59:49 UTC 2006 

Hi Gabe,

Beautifully worded, and (IMHO) an extremely valuable real-world
opinion.  I too believe OpenID is currently a "non-starter".  I have
dual vested interests:  I want OpenID to succeed, *especially* for RPs
like Visa, since my IdP makes money from supporting OpenID only when
OpenID ends up getting used.  I also believe that an IdP (and mine in
particular) is well suited for deploying secure technology (eg: two
factor tokens).  If, aside from making OpenID actually *work* for the
likes of Visa, we can build in the ability to provide a tangible
*benefit* to Visa from using it (that is: allow visa to REQUIRE that a
user has authenticate via two-factor means, to an accredited - i.e:
explicitly trusted by Visa - IdP) then we've not only cemented the
future of OpenID, we've gone an improved a pile of security problems
along the way.

Kind Regards,
Chris Drake
1id.com

Thursday, October 5, 2006, 1:41:34 PM, you wrote:

GW> Chris-
GW> 	As someone who has recently come from working in the financial
GW> sector (Visa), its clear that OpenID is NOT intended for authentication
GW> where the *relying party* cares about how the authentication is performed.

GW> 	At places like Visa and for home banking, this means that OpenID,
GW> without something more, is clearly a . These relying parties want
GW> to know exactly how their users are being authenticated because their
GW> business is all about risk management and creating business opportunities
GW> around very good knowledge of the risk profile of each transaction type.

GW> 	That all being said, I believe it should be possible to layer on
GW> OpenID a form of IDP control such that a relying party can require a certain
GW> class or group of IDPs be used when presenting authentication assertions to
GW> them. The actual *policy* for how these IDPs are approved is probably
GW> orthogonal to the protocol spec, but "secure" identification of those IDPs
GW> (relative to some trust root, etc) could probably be made into an extension
GW> usable for those parties who want it. 

GW> 	My guess is that culturally, most people involved in OpenID have
GW> *not* been interested in addressing these concerns. However, expectations
GW> need to be better managed around these sort of "relying-party cares"
GW> scenarios, because its not obvious without actually reading the specs
GW> themselves...

GW> 	-Gabe

>> -----Original Message-----
>> From: specs-bounces at openid.net
>> [mailto:specs-bounces at openid.net] On Behalf
>> Of Chris Drake
>> Sent: Wednesday, October 04, 2006 8:26 PM
>> To: Kevin Turner
>> Cc: specs at openid.net
>> Subject: Re[2]: [PROPOSAL] authentication age
>> 
>> Hi Kevin,
>> 
>> Sounds like you're leaning towards a root authority for IdPs who can
>> audit procedures and verify protection in order to sign the IdP's
>> keys?
>> 
>> Joe blogger doesn't care much about identity assertions from an IdP,
>> but it's a reasonable bet to expect that a Bank might care...
>> 
>> Kind Regards,
>> Chris Drake
>> 
>> 
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list