[OpenID] Building on the OpenID PAPE specification
Peter Williams
pwilliams at rapattoni.com
Mon Oct 6 22:23:03 UTC 2008
Any chance of the values of the values registered in the OASIS SAML authcontext world being applied to this? Or, does there have to be yet another registration process (for no particular reason): EAP, SAML, OpenID?
If I bind to an OP using EAP-TLS as an act of user auth, surely evidence from that TLS session between supplicant and authenticator could accompany the PAPE-AM signal issues by theOP. E.g. If the EAP-TLS session uses SAML HOK for TLS client auth (rather than X.509 client certs and signatures), the confirmation component of the SAML assertion could accompany the PAPE-AM signals.
How about that for a bit of websso convergence? The quality of the OpenID handshake/session/trustfabric would not necessarily degrade the user authentication act, then. Its just a conduit.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of David Recordon
Sent: Monday, October 06, 2008 2:36 PM
To: Brian Kelly
Cc: general at openid.net
Subject: Re: [OpenID] Building on the OpenID PAPE specification
Hey Brian,
I'm jumping on a plane so only got a chance to skim this but it seems
like a great post on some additional needs to use OpenID in higher
trust environments. Thanks for taking the time to write up your
thoughts and share them with the community.
--David
---
Sent from my iPhone classic.
On Oct 6, 2008, at 5:29 PM, "Brian Kelly"
<brian.kelly at trustbearer.com> wrote:
> A few months ago, some members from the OATH community and I got
> together to take a fresh look at the PAPE spec, what it was trying to
> accomplish, and how well it could be implemented. We started holding
> semi-weekly conference calls and over the period of a couple months we
> drafted up a slightly new take on PAPE.
>
> The main difference is that we defined a specific set of
> authentication methods, rather than only using high-level policies.
> After long discussions we found that there was too much ambiguity in
> the high-level policies as defined today in PAPE. We created a draft
> of our modified specification, termed PAPE-Authentication Mechanisms
> (PAPE-AM), and we are beginning to socialize the concepts in that
> draft.
>
> I published a blog post summarizing our motivations, and wanted to
> share it with the greater OpenID mailing list.
>
> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>
> I would appreciate hearing the thoughts of the readers on this mailing
> list. Please respond publicly, or feel free to contact me directly.
>
> Thank you,
> Brian
>
> --
> Brian Kelly
> TrustBearer Labs
> http://trustbearer.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list