Getting authentication strength when accepting OpenID

John Bradley john.bradley at wingaa.com
Mon Aug 16 15:15:24 UTC 2010 

An example of a real profile that people are certified against is:
http://idmanagement.gov/documents/ICAM_OpenID20Profile.pdf

John B.

On 2010-08-16, at 8:40 AM, Paul Madsen wrote:

> and wrt the 'standards' for what goes in the PAPE extension, look at
> 
> http://openidentityexchange.org/ and
> 
> http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program
> 
> On 16/08/2010 2:22 AM, David Recordon wrote:
>> Hey Dennis, take a look at the Provider Authentication Policy Exchange
>> extension as it's meant to provide some of this sort of information.
>> It is a bit more abstract then what you're describing, but has been
>> used successfully for similar needs
>> 
>> 
>> http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
>> 
>> 
>> --David
>> 
>> 
>> On Sun, Aug 15, 2010 at 10:08 PM, Dennis Gearon 
>> <gearond at sbcglobal.net>
>> wrote:
>> 
>>> I would like to hear some small discussion on an idea/request that I have for the openID spec.
>>> 
>>> When validating with an openID source/server (not uup to speed on architecture of openID yet), part of what gets returned is the following data:
>>> 
>>> A/ A standardized authentication-difficulty rating from the site validating the user. I.E., If my password at yahoo is only 6 characters long, and Yahoo accepts it, yahoo still runs an openID lib procedure against the password when it's created and some standard values get returned, i.e.:
>>> 
>>>   weak
>>>   OK
>>>   strong
>>>   exceptional.
>>> 
>>> B/ A second field saying whether multiple tokens were used, such as:
>>> 
>>>   one time pad rotating code key fobs
>>>   password and drop of blood
>>>   password and handprint
>>>   et. al.
>>> 
>>> OR, it could send a value saying it meets certain standards out there, if there are any. Maybe setting standards would be a good idea!!! I bet the military has some. Apparently, congressmen and others aren't required to use them on their email/social site accounts ;-)
>>> 
>>> 
>>> 
>>> 
>>> Dennis Gearon
>>> 
>>> Signature Warning
>>> ----------------
>>> EARTH has a Right To Life,
>>>  otherwise we all die.
>>> 
>>> Read 'Hot, Flat, and Crowded'
>>> Laugh at 
>>> http://www.yert.com/film.php
>>> 
>>> 
>>> _______________________________________________
>>> specs mailing list
>>> 
>>> specs at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs
>>> 
>>> 
>>> 
>> _______________________________________________
>> specs mailing list
>> 
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>> 
>> 
>> No virus found in this incoming message.
>> Checked by AVG - 
>> www.avg.com
>> 
>> Version: 9.0.851 / Virus Database: 271.1.1/3074 - Release Date: 08/15/10 14:35:00
>> 
>> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

More information about the specs mailing list