Some PAPE Wording Clarifications
Johnny Bufu
johnny at sxip.com
Tue Oct 23 17:05:51 UTC 2007
+ [...] For example it is recommended that if the OP
+ specified the Multi-Factor Physical Authentication policy
and the RP
+ requested the Multi-Factor Authentication policy, that the RP's
+ requirements were met.
This puts undue requirements on the RP implementations. As a design
principle, I believe the goals were to make required effort and
adoption and as easy as possible for RPs, and have more happening on
the OP where possible. I would at least complement, if not replace,
this patch with:
"For example, if the RP requested Multi-Factor and the OP supports
Multi-Factor Physical, it is recommended that the OP includes both
policies in the response."
As I argued on the osis list, the OP is in the best position to make
judgments about the qualities of its authentication mechanisms, and
it should respond to the point to the RP's requests. What if the RP
knows what Multi-Factor means, but has no idea (and no interest) in
Multi-Factor-Physical?
Johnny
More information about the specs
mailing list