[OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Ben Laurie
benl at google.com
Mon Jan 22 18:11:44 UTC 2007
On 1/22/07, Josh Hoyt <josh at janrain.com> wrote:
> On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > > On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > > Security Profiles" you have a profile where the RP states what kind of
> > > > End User/OP authentication is acceptable to it. Sites with low/zero
> > > > value attached to the login can accept any kind of EU/OP auth, whereas
> > > > high value sites can require "unphishable" auth.
> > >
> > > I like the sound of this proposal, but I don't see how the RP could
> > > know whether the OP is actually using "unphishable" authentication
> > > when that kind of authentication is requested. Is it necessary for the
> > > RP to be able to tell for sure, and if so, how could it tell?
> >
> > No, I don't think it is necessary. If users want to trust their
> > identity to OPs that lie, that's their decision.
>
> In that case, I think this could just be part of the "Assertion
> Quality Extension." [1] I haven't been involved in that specification
> at all, but my understanding is that it provides a way of expressing
> what kind of authentication the RP would like to have when a request
> is made to the OP.
Actually, it appears to allow the RP to tell the OP what kind of
authentication was used, which is backwards.
It also seems to be rather lacking in meat. Still, a step in the right
direction.
>
> Josh
>
> 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html
>
More information about the general
mailing list