Getting authentication strength when accepting OpenID

Paul Madsen paulmadsen at rogers.com
Mon Aug 16 12:40:33 UTC 2010


  and wrt the 'standards' for what goes in the PAPE extension, look at

http://openidentityexchange.org/ and

http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program

On 16/08/2010 2:22 AM, David Recordon wrote:
> Hey Dennis, take a look at the Provider Authentication Policy Exchange
> extension as it's meant to provide some of this sort of information.
> It is a bit more abstract then what you're describing, but has been
> used successfully for similar needs
>
> http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
>
> --David
>
>
> On Sun, Aug 15, 2010 at 10:08 PM, Dennis Gearon<gearond at sbcglobal.net>  wrote:
>> I would like to hear some small discussion on an idea/request that I have for the openID spec.
>>
>> When validating with an openID source/server (not uup to speed on architecture of openID yet), part of what gets returned is the following data:
>>
>> A/ A standardized authentication-difficulty rating from the site validating the user. I.E., If my password at yahoo is only 6 characters long, and Yahoo accepts it, yahoo still runs an openID lib procedure against the password when it's created and some standard values get returned, i.e.:
>>
>>     weak
>>     OK
>>     strong
>>     exceptional.
>>
>> B/ A second field saying whether multiple tokens were used, such as:
>>
>>     one time pad rotating code key fobs
>>     password and drop of blood
>>     password and handprint
>>     et. al.
>>
>> OR, it could send a value saying it meets certain standards out there, if there are any. Maybe setting standards would be a good idea!!! I bet the military has some. Apparently, congressmen and others aren't required to use them on their email/social site accounts ;-)
>>
>>
>>
>>
>> Dennis Gearon
>>
>> Signature Warning
>> ----------------
>> EARTH has a Right To Life,
>>    otherwise we all die.
>>
>> Read 'Hot, Flat, and Crowded'
>> Laugh at http://www.yert.com/film.php
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3074 - Release Date: 08/15/10 14:35:00
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100816/855c47a8/attachment.html>


More information about the specs mailing list