[OpenID] OpenID 2.0, PAPE, and handling monetary transactions
Manger, James H
James.H.Manger at team.telstra.com
Wed Nov 28 01:48:53 UTC 2007
Perhaps, instead of an RP asking an OP about the strength/freshness of the authentication (and worrying that the OP may be lying), the RP should indicate to the OP how important it feels this login is to the user (and recognize that it is up to the OP if or how that changes its behaviour).
I would like to see an openid.importance=[-100,100] authentication attribute (for requests and acknowledged in responses).
Then there would no longer be an incentive for OPs to lie to RPs so users are accepted. Instead, there would be an incentive for users to pick the level of trust they have in their OP (& their “name provider” and DNS). Users can make poor choices, but at least it is an explicit and somewhat intuitive choice (raising a trust/danger level).
[http://openid.net/pipermail/specs/2006-December/001019.html discusses this proposal. I originally suggested importance values like “low”, “session”, “money”… but I now think a number from -100 to +100 is better.]
P.S. Has anyone confirmed that USAA actually does use OpenID. The quote on the OpenID wiki mentions an “Online ID”, but not an “OpenID”.
----------
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Ben Bangert
Sent: Wednesday, 28 November 2007 9:03 AM
…
The fact that a user can tell the OP to let them do anything they
want, still leaves open the main issue here.... how does the RP trust
the OP's assertions?
…
More information about the general
mailing list