[OpenID] identify RP when it gets OpenID URL

Manger, James H James.H.Manger at team.telstra.com
Thu Oct 18 01:43:47 UTC 2007 

PAPE may be another approach (to support per-user per-RP login policies). It certainly will not always be “cleaner”. It is not a reason against enabling a discovery-based approach.

This PAPE suggestion requires the RP and OP to implement what the user wants. A discovery-based approach only requires the web site hosting the user’s identifier to implement what the user wants.

 

> The PAPE-enabled backup service requests that the OP authenticates Alice

> in a manner compliant with certain policies,

> that are satisfactory to Alice's security requirements for a backup service.

 

PAPE must be implemented by the backup service AND the OP. Alice’s policy must be expressible in PAPE’s language. The backup service must have a GUI for Alice to choose her security requirements. The backup service has to remember per-user login requirements – which is rather at odds with a main point of OpenID of the RP not having to be involved with how Alice is authenticated. Every other RP where Alice wants to tweak her login policy also needs to support this… Please don’t make this the only way to implement this style of feature.

 

There have always been 4 entities in an OpenID login: the user (with a browser); the OP; the RP; and the web site hosting the user’s identifier. The last entity can simply be a static HTML page, which is a huge bonus. Identifying the RP to this entity enables (but doesn’t require) it to be more than a static page – when that is useful (ie for users, circumstances and functions where it turns out to be the easiest implementation point).

 

	_____________________________________________
	From: Johnny Bufu [mailto:johnny at sxip.com] 
	Sent: Thursday, 18 October 2007 4:15 AM
	To: Manger, James H
	Cc: specs at openid.net

	 

	I believe there's a cleaner way to address this, that would not complicate the things that Alice needs to know about the inner workings of OpenID (and without her having to use different identities for different purposes):

	 

	The PAPE-enabled backup service requests that the OP authenticates Alice in a manner compliant with certain policies, that are satisfactory to Alice's security requirements for a backup service.

 

________________________________

From: Manger, James H 
Sent: Wednesday, 17 October 2007 12:59 PM
To: 'specs at openid.net'
Subject: [OpenID] identify RP when it gets OpenID URL

…

Add the following paragraph at the end of section 7.3 Discovery:

“The Relying Party MUST include a From HTTP header field in each HTTP request made during discovery. The From field holds an email address for the RP (eg From: openid at example.net) [RFC2616]. This enables the discovered information to vary based on the RP. The From field is not authenticated so it is not appropriate to use for access control.”

…

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071018/d5008777/attachment-0002.htm>

More information about the specs mailing list