Strong Authencation (was [PROPOSAL] authentication age

Chris Drake christopher at pobox.com
Thu Oct 5 17:21:47 UTC 2006


Hi All,

1. Amazon asks the IdP "Please assert this user is not a Robot"
   How can it trust this occurred?

2. Amazon asks the IdP "Please re-authenticate this user, via
   two-factor, two-way strong authentication"
   How can it trust *this* occurred?

The IdP can *say* it did, but would RPs prefer a "stronger" role to
encourage adoption? (eg: #1 - the RP provides the captcha, and the
hash of the solution, while the IdP returns the solution, or #2 - the
RP provides a nonce and later looks for this nonce in the IdP's
also-signed-by-the-authentication-vendor-technology response)

i.e.: It might get ugly to try and add this stuff in later if we've
not catered up-front for these kinds of interchanges.

Kind Regards,
Chris Drake




More information about the specs mailing list