Strong Authencation (was [PROPOSAL] authentication age
Chris Drake
christopher at pobox.com
Thu Oct 5 17:21:47 UTC 2006
Hi All,
1. Amazon asks the IdP "Please assert this user is not a Robot"
How can it trust this occurred?
2. Amazon asks the IdP "Please re-authenticate this user, via
two-factor, two-way strong authentication"
How can it trust *this* occurred?
The IdP can *say* it did, but would RPs prefer a "stronger" role to
encourage adoption? (eg: #1 - the RP provides the captcha, and the
hash of the solution, while the IdP returns the solution, or #2 - the
RP provides a nonce and later looks for this nonce in the IdP's
also-signed-by-the-authentication-vendor-technology response)
i.e.: It might get ugly to try and add this stuff in later if we've
not catered up-front for these kinds of interchanges.
Kind Regards,
Chris Drake
More information about the specs
mailing list