Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)
David Recordon
drecordon at sixapart.com
Mon Oct 22 21:23:05 UTC 2007
Agreed with Jonathan here, don't think we need to define a policy URI
for "active". Rather need to clarify what is meant in section 5.1.
(Optional) If the End User has not actively authenticated to the OP
within the number
of seconds specified in a manner fitting the requested policies, the
OP MUST
authenticate the End User for this request.
What about?
Active authentication is defined as the user providing a credential
to the OP beyond a cookie which passively stores prior authentication
credentials.
Still don't like that definition, but hopefully a few iterations and
we'll get there. Also asking around in the security community if
there is a definition for this.
--David
On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>
> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>
>> # Yep, the idea is for the PAPE spec to define a few generic and
>> # agreed upon policies and then RPs and OPs can create others. Thus
>> # if there isn't agreement on a policy, there would be multiple
>> policy
>> # URIs. Same concept as in Attribute Exchange.
>>
>> Using policy URIs to indicate certain modes of authentication is a
>> fine idea, but that doesn't really address the original issue: the
>> spec does not define "active" ("direct") authentication.
>
> Agreed. PAPE spec should define one such policy that's acceptable
> for most of the OPs/RPs (and tie auth_age to it), leaving the
> possibility open for anyone to define other similar policies.
>
> This could be a bit tricky to specify if there's another parameter
> involved, but we should be able to come up with a solution.
>
> Johnny
>
>
More information about the specs
mailing list