[OpenID] Building on the OpenID PAPE specification

Peter Williams pwilliams at rapattoni.com
Mon Oct 6 23:41:02 UTC 2008 

This is a general list vs a working group (where I don't belong). But, even so, we have heard 4 comments on pape:

An op can lie and be conforming

The nist levels do not satisfy the business needs of at least 1 mega op

A nist level plus the inherently low assurance nature of openidauth protocol adds up to little (if anything), to those trained in information assurance doctrine

Higher assurance ops need the means to signal details to the rp, so that the details would influence the rp (which presumes a conforming op is not lying).

-----Original Message-----
From: Paul Madsen <paulmadsen at rogers.com>
Sent: Monday, October 06, 2008 3:26 PM
To: Brian Kelly <brian.kelly at trustbearer.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Building on the OpenID PAPE specification


Hi Brian, do you have any thoughts on how PAPE-AM will, or wont, be
compatible with the (as I understand the current situation) the soon to
be standard PAPE

My company is facing some use cases that imply reconciling or mapping
SAML Authentication Context and PAPE, so Im concerned about a split here

thanks

paul

Brian Kelly wrote:
> A few months ago, some members from the OATH community and I got
> together to take a fresh look at the PAPE spec, what it was trying to
> accomplish, and how well it could be implemented. We started holding
> semi-weekly conference calls and over the period of a couple months we
> drafted up a slightly new take on PAPE.
>
> The main difference is that we defined a specific set of
> authentication methods, rather than only using high-level policies.
> After long discussions we found that there was too much ambiguity in
> the high-level policies as defined today in PAPE. We created a draft
> of our modified specification, termed PAPE-Authentication Mechanisms
> (PAPE-AM), and we are beginning to socialize the concepts in that draft.
>
> I published a blog post summarizing our motivations, and wanted to
> share it with the greater OpenID mailing list.
>
> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>
> I would appreciate hearing the thoughts of the readers on this mailing
> list. Please respond publicly, or feel free to contact me directly.
>
> Thank you,
> Brian
>
> --
> Brian Kelly
> TrustBearer Labs
> http://trustbearer.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>

--
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-302-1428
                       aim:PaulMdsn5
                       web:connectid.blogspot.com

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list