[OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11

Ben Laurie benl at google.com
Mon Jan 22 17:45:36 UTC 2007


On 1/22/07, Josh Hoyt <josh at janrain.com> wrote:
> Ben,
>
> On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > Security Profiles" you have a profile where the RP states what kind of
> > End User/OP authentication is acceptable to it. Sites with low/zero
> > value attached to the login can accept any kind of EU/OP auth, whereas
> > high value sites can require "unphishable" auth.
>
> I like the sound of this proposal, but I don't see how the RP could
> know whether the OP is actually using "unphishable" authentication
> when that kind of authentication is requested. Is it necessary for the
> RP to be able to tell for sure, and if so, how could it tell?

No, I don't think it is necessary. If users want to trust their
identity to OPs that lie, that's their decision.



More information about the specs mailing list