[OpenID] Durability of authorized sessions
Allen Tom
atom at yahoo-inc.com
Fri Nov 30 08:46:41 UTC 2007
Hi Tony,
Your scenario indicates that users or RPs may seek compensation from OPs
in the event that a high value transaction was wrongly authorized via
OpenID, which is precisely why some OPs may want to make no claims about
the security of their OpenIDs, and to explicitly warn RPs not to
authorize high value transactions using their OpenIDs.
The PAPE extension allows an OP to return openid.pape.nist_auth_level=0
to indicate that the user did not meet the requirements of NIST Level 1.
Perhaps the convention should be that RPs should not authorize high
value transactions based solely on an authentication response with
nist_auth_level=0. It would be great if the PAPE extension contained
additional language regarding the significance of Level 0 auth, and the
community define best practices regarding the handling of high value
transactions. This would be an interesting topic at IIW next week.
Allen
Tony Locke wrote:
>
> Also, you suggest a scheme where an OP indicates whether an id is
> suitable for high value transactions. What about taking this one step
> further and have the OP give a monetary value that it'll refund if it
> wrongly authenticates a user? Then if a transaction goes wrong and
> it's the OP's fault, the RP can get a refund from the OP. If the end
> user is affected, they would seek redress from the RP. This eliminates
> buck-passing between the RP and OP.
>
>
More information about the general
mailing list