Some PAPE Wording Clarifications

Johnny Bufu johnny at sxip.com
Tue Oct 23 17:05:51 UTC 2007


+ 	  [...] For example it is recommended that if the OP
+        specified the Multi-Factor Physical Authentication policy  
and the RP
+        requested the Multi-Factor Authentication policy, that the RP's
+        requirements were met.

This puts undue requirements on the RP implementations. As a design  
principle, I believe the goals were to make required effort and  
adoption and as easy as possible for RPs, and have more happening on  
the OP where possible. I would at least complement, if not replace,  
this patch with:

"For example, if the RP requested Multi-Factor and the OP supports  
Multi-Factor Physical, it is recommended that the OP includes both  
policies in the response."

As I argued on the osis list, the OP is in the best position to make  
judgments about the qualities of its authentication mechanisms, and  
it should respond to the point to the RP's requests. What if the RP  
knows what Multi-Factor means, but has no idea (and no interest) in  
Multi-Factor-Physical?


Johnny




More information about the specs mailing list