[OpenID] PAPE yahoo?
James Tindall
james at atomless.com
Thu Jul 3 08:10:05 UTC 2008
Thanks for clearing that up Allen, much appreciated!
James
Allen Tom wrote:
> Hi Peter,
>
> Yahoo issues persistent browser sessions that are valid for up to 14
> days, and the Yahoo OpenID Provider does not re-prompt for the user's
> password before we send an assertion to the Relying Party. We do not
> re-prompt the user for their password in order to improve the
> usability of the service.
>
> Generally speaking, sites that authorize financial transactions
> re-prompt the user for their password before authorizing the
> transaction, even if the user is already logged in.
>
> We're definitely interested in seeing OpenID being used to authorize
> high value transactions, and hopefully the new PAPE extension will
> make this a reality.
>
> In answer to your question, currently a Yahoo OpenID is not
> appropriate to protect a stored credit card number on an RP that is an
> online merchant or bank.
>
> Allen
>
>
> Peter Williams wrote:
>> Is the yahoo limitation due to the technical nature of openid
>>
>> Is it due to the open nature of the openid uci model?
>>
>> Is the advice the same as given to folks who use alternative apis?
>>
>> Should I tak it as given that a yahoo openid is not appropriate for
>> concluding a $1 credit card transaction? Even over verisign ssl?
>>
>> ________________________________
>> From: Allen Tom <atom at yahoo-inc.com>
>> Sent: Wednesday, July 02, 2008 8:24 PM
>> To: 'James Tindall' <james at atomless.com>; general at openid.net
>> <general at openid.net>
>> Subject: Re: [OpenID] PAPE yahoo?
>>
>> Hi James,
>>
>> Yahoo supports the PAPE extension specifically to mark our assertions
>> with NIST Auth Level 0, to indicate that Relying Parties should not
>> Yahoo OpenID assertions to authorize transactions of financial value,
>> or other high value transactions. We have this documented in our FAQ
>> here:
>>
>> http://developer.yahoo.com/openid/faq.html
>>
>> Thanks,
>> Allen
>>
>>
>>
>>
>> Drummond Reed wrote:
>>
>> James Tindall wrote:
>>
>> Hello all,
>>
>> I have a quick question that doesn't seem to be covered in the existing
>> spec docs.
>>
>> If a user enters 'yahoo.com' the OpenID discovery phase yields this xrds
>> document:
>>
>> <XRD>
>> <Service priority="0">
>> <Type>http://specs.openid.net/auth/2.0/server</Type>
>> <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>> <URI>https://open.login.yahooapis.com/openid/op/auth</URI>
>> </Service>
>> </XRD>
>>
>> Is a Relying Party to take this as meaning that the Yahoo OpenID server
>> supports all PAPE policies?
>>
>>
>>
>> It depends on what you mean by "supports all PAPE policies"?
>>
>> The XRD above simply says that the Yahoo OpenID 2.0 server supports
>> PAPE,
>> which means the RP can include a PAPE request in their OpenID 2.0
>> authentication request to the Yahoo OP, and Yahoo will answer the
>> request
>> saying which policies it did/didn't use for authentication (e.g., was it
>> phishing-proof or not?)
>>
>> It doesn't mean that Yahoo has to support all the potential
>> authentication
>> policies that the PAPE vocabulary includes.
>>
>> =Drummond
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net<mailto:general at openid.net>
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>
>
--
-----------------------------------------
James Tindall
http://www.atomless.com/
T : +44(0)1305 250 377
M : +44(0)7971 012 032
F : +44(0)1305 250 377
-----------------------------------------
More information about the general
mailing list