[OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11

Josh Hoyt josh at janrain.com
Mon Jan 22 17:33:43 UTC 2007


Ben,

On 1/22/07, Ben Laurie <benl at google.com> wrote:
> OK, the idea is pretty simple. Rather like the "OpenID Authentication
> Security Profiles" you have a profile where the RP states what kind of
> End User/OP authentication is acceptable to it. Sites with low/zero
> value attached to the login can accept any kind of EU/OP auth, whereas
> high value sites can require "unphishable" auth.

I like the sound of this proposal, but I don't see how the RP could
know whether the OP is actually using "unphishable" authentication
when that kind of authentication is requested. Is it necessary for the
RP to be able to tell for sure, and if so, how could it tell?

Josh



More information about the specs mailing list