2.0 Spec Questions

[Recordon, David]

James, for 3 have you looked at
http://openid.net/specs/openid-assertion-quality-extension-1_0-03.html?
I don't think it addresses the specific point you brought up, though may
be the right place to do it.

--David 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of James McGovern
Sent: Sunday, January 21, 2007 4:49 PM
To: specs at openid.net
Subject: 2.0 Spec Questions
Sensitivity: Confidential

Several questions after reading the 2.0 spec - draft 11.

1. The definition of realm if I am reading it correctly could be
problematic in large enterprises. For example, if one were using a web
access management product, they would have the ability to define a realm
in terms of a listing of discrete hosts that may or may not fit a URL
pattern matching approach.
For example, I could have a demographic called consumers who could
access hosts such as http://myconsumer.example.com ,
http://printstatements.example.com, http://paybills.example.com Likewise
another demographic called Business Partner may have a different set of
hosts they can interact with.

2. In terms of checking the nonce, can we recommend that a deployment
practice should be to use the NTP protocol and point to clocks of a
certain stratum? Likewise, would it be a good idea if an association
could indicate how much skew it would accept before rejecting?

3. In terms of an extension, should an OP be able to indicate when
reauth may be required so the user doesn't assume that if they
authenticate once they are always good?

4. Some portions of the spec are heavily coupled to PKI. How should
growing users of IBE think of this?


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs