[OpenID] Building on the OpenID PAPE specification

[Dick Hardt]

Brian: did you participate in the PAPE spec? That would have been the  
place to have brought up this issue.

Although I did not participate in the PAPE specification (only so much  
time) -- I was supportive of the high level policies vs specific  
technologies. The RP really does not (well, *should* not)  care about  
how the user was authenticated, just about how much certainty the OP  
has that it is the user. It is the OP making the assertion after all.  
Keep in mind I can have an OP that says that all the factors were  
used, even if they were not.

-- Dick


On 6-Oct-08, at 2:28 PM, Brian Kelly wrote:

> A few months ago, some members from the OATH community and I got
> together to take a fresh look at the PAPE spec, what it was trying to
> accomplish, and how well it could be implemented. We started holding
> semi-weekly conference calls and over the period of a couple months we
> drafted up a slightly new take on PAPE.
>
> The main difference is that we defined a specific set of
> authentication methods, rather than only using high-level policies.
> After long discussions we found that there was too much ambiguity in
> the high-level policies as defined today in PAPE. We created a draft
> of our modified specification, termed PAPE-Authentication Mechanisms
> (PAPE-AM), and we are beginning to socialize the concepts in that  
> draft.
>
> I published a blog post summarizing our motivations, and wanted to
> share it with the greater OpenID mailing list.
>
> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>
> I would appreciate hearing the thoughts of the readers on this mailing
> list. Please respond publicly, or feel free to contact me directly.
>
> Thank you,
> Brian
>
> --
> Brian Kelly
> TrustBearer Labs
> http://trustbearer.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general