Defining PAPE "active authentication" (WAS: Re: PAPE Extension Specification)

Paul Madsen paulmadsen at rogers.com
Mon Oct 22 22:18:09 UTC 2007 

SAML 2.0 expresses it in terms of whether or not the authentication is 
'passive'

paul

David Recordon wrote:
> Agreed with Jonathan here, don't think we need to define a policy URI  
> for "active".  Rather need to clarify what is meant in section 5.1.
> 	(Optional) If the End User has not actively authenticated to the OP  
> within the number
> 	of seconds specified in a manner fitting the requested policies, the  
> OP MUST
> 	authenticate the End User for this request.
>
> What about?
> 	Active authentication is defined as the user providing a credential  
> to the OP beyond a cookie which passively stores prior authentication  
> credentials.
>
> Still don't like that definition, but hopefully a few iterations and  
> we'll get there.  Also asking around in the security community if  
> there is a definition for this.
>
> --David
>
> On Oct 11, 2007, at 9:33 AM, Johnny Bufu wrote:
>
>   
>> On 8-Oct-07, at 4:56 PM, Jonathan Daugherty wrote:
>>
>>     
>>> # Yep, the idea is for the PAPE spec to define a few generic and
>>> # agreed upon policies and then RPs and OPs can create others.  Thus
>>> # if there isn't agreement on a policy, there would be multiple  
>>> policy
>>> # URIs.  Same concept as in Attribute Exchange.
>>>
>>> Using policy URIs to indicate certain modes of authentication is a
>>> fine idea, but that doesn't really address the original issue: the
>>> spec does not define "active" ("direct") authentication.
>>>       
>> Agreed. PAPE spec should define one such policy that's acceptable  
>> for most of the OPs/RPs (and tie auth_age to it), leaving the  
>> possibility open for anyone to define other similar policies.
>>
>> This could be a bit tricky to specify if there's another parameter  
>> involved, but we should be able to come up with a solution.
>>
>> Johnny
>>
>>
>>     
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

More information about the specs mailing list