[OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
benl at google.com
Mon Jan 22 18:56:50 UTC 2007
On 1/22/07, Ben Laurie <benl at google.com> wrote:
> On 1/22/07, Josh Hoyt <josh at janrain.com> wrote:
> > On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > > > On 1/22/07, Ben Laurie <benl at google.com> wrote:
> > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > > > Security Profiles" you have a profile where the RP states what kind of
> > > > > End User/OP authentication is acceptable to it. Sites with low/zero
> > > > > value attached to the login can accept any kind of EU/OP auth, whereas
> > > > > high value sites can require "unphishable" auth.
> > > >
> > > > I like the sound of this proposal, but I don't see how the RP could
> > > > know whether the OP is actually using "unphishable" authentication
> > > > when that kind of authentication is requested. Is it necessary for the
> > > > RP to be able to tell for sure, and if so, how could it tell?
> > >
> > > No, I don't think it is necessary. If users want to trust their
> > > identity to OPs that lie, that's their decision.
> > In that case, I think this could just be part of the "Assertion
> > Quality Extension."  I haven't been involved in that specification
> > at all, but my understanding is that it provides a way of expressing
> > what kind of authentication the RP would like to have when a request
> > is made to the OP.
> Actually, it appears to allow the RP to tell the OP what kind of
> authentication was used, which is backwards.
Sorry, I mean the OP to tell the RP!
> It also seems to be rather lacking in meat. Still, a step in the right
> > Josh
> > 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html
More information about the general