RECOMMENDED: Proposal to create the PAPE working group

Dick Hardt dick at
Thu May 22 21:15:45 PDT 2008

The specifications council recommends that the Foundation members  
approve the creation of the Provider Authentication Policy Extension  
(PAPE) working group, as proposed below.

-- Dick

On 22-May-08, at 3:25 PM, Mike Jones wrote:

> This message is being sent to revise the proposal to create the PAPE  
> working group, changing only one word, so that the projected  
> completion date is July 2008, rather than May 2008.  The complete  
> text of the revised proposal follows.
>                                                             --- Mike
> In accordance with the OpenID Foundation IPR policies and procedures  
> this note proposes the formation of a new working group chartered to  
> produce an OpenID specification.  As per Section 4.1 of the  
> Policies, the specifics of the proposed working group are:
> Proposal:
> (a)  Charter.
>                 (i)  WG name:  Provider Authentication Policy  
> Extension (PAPE)
>                 (ii)  Purpose:  Produce a standard OpenID extension  
> to the OpenID Authentication protocol that:  provides a mechanism by  
> which a Relying Party can request that particular authentication  
> policies be applied by the OpenID Provider when authenticating an  
> End User and provides a mechanism by which an OpenID Provider may  
> inform a Relying Party which authentication policies were used. Thus  
> a Relying Party can request that the End User authenticate, for  
> example, using a phishing-resistant and/or multi-factor  
> authentication method.
>                 (iii)  Scope:  Produce a revision of the PAPE 1.0  
> Draft 2 specification that clarifies its intent, while maintaining  
> compatibility for existing Draft 2 implementations.  Adding any  
> support for communicating requests for or the use of specific  
> authentication methods (as opposed to authentication policies) is  
> explicitly out of scope.
>                 (iv)  Proposed List of Specifications:  Provider  
> Authentication Policy Extension 1.0, spec completion expected during  
> July 2008.
>                 (v)  Anticipated audience or users of the work:   
> Implementers of OpenID Providers and Relying Parties – especially  
> those interested in mitigating the phishing vulnerabilities of  
> logging into OpenID providers with passwords.
>                 (vi)  Language in which the WG will conduct  
> business:  English.
>                 (vii)  Method of work:  E-mail discussions on the  
> working group mailing list, working group conference calls, and  
> possibly a face-to-face meeting at the Internet Identity Workshop.
>                 (viii)  Basis for determining when the work of the  
> WG is completed:  Proposed changes to draft 2 will be evaluated on  
> the basis of whether they increase or decrease consensus within the  
> working group.  The work will be completed once it is apparent that  
> maximal consensus on the draft has been achieved, consistent with  
> the purpose and scope.
> (b)  Background Information.
>                 (i)  Related work being done in other WGs or  
> organizations:  (1) Assurance Levels as defined by the National  
> Institute of Standards and Technology (NIST) in Special Publication  
> 800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic  
> Authentication Guideline,” April 2006.) [NIST_SP800‑63].  This  
> working group is needed to enable authentication policy statements  
> to be exchanged by OpenID endpoints.  No coordination is needed with  
> NIST, as the PAPE specification uses elements of the NIST  
> specification in the intended fashion.
>                 (ii)  Proposers:
>                                 Michael B. Jones, mbj at,  
> Microsoft Corporation
>                                 David Recordon,  
> drecordon at, Six Apart Corporation
>                                 Ben Laurie, benl at, Google  
> Corporation
>                                 Drummond Reed, drummond.reed at 
> , Cordance Corporation
>                                 John Bradley,  
> john.bradley at, Wingaa Corporation
>                                 Johnny Bufu, johnny.bufu at,  
> Independent
>                                 Dick Hardt, dick at,  Sxip  
> Identity Corporation
> Editors:
>                                 Michael B. Jones, mbj at,  
> Microsoft Corporation
>                                 David Recordon,  
> drecordon at, Six Apart Corporation
>                 (iii)  Anticipated Contributions:  None.
> _______________________________________________
> specs mailing list
> specs at

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the specs mailing list