[OpenID] Building on the OpenID PAPE specification

Nat sakimura at gmail.com
Tue Oct 7 03:23:47 UTC 2008


In addition, a third party certified assurance program is needed.

BTW, NIST levels are not particulary useful in OpenID AuthN 2.0 per  
se. It needs to be coupled with other extensions to support the  
digital signature requirement for indirect communications.

=nat at TOKYO via iPhone

On 2008/10/07, at 8:41, Peter Williams <pwilliams at rapattoni.com> wrote:

> This is a general list vs a working group (where I don't belong).  
> But, even so, we have heard 4 comments on pape:
>
> An op can lie and be conforming
>
> The nist levels do not satisfy the business needs of at least 1 mega  
> op
>
> A nist level plus the inherently low assurance nature of openidauth  
> protocol adds up to little (if anything), to those trained in  
> information assurance doctrine
>
> Higher assurance ops need the means to signal details to the rp, so  
> that the details would influence the rp (which presumes a conforming  
> op is not lying).
>
> -----Original Message-----
> From: Paul Madsen <paulmadsen at rogers.com>
> Sent: Monday, October 06, 2008 3:26 PM
> To: Brian Kelly <brian.kelly at trustbearer.com>
> Cc: general at openid.net <general at openid.net>
> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>
>
> Hi Brian, do you have any thoughts on how PAPE-AM will, or wont, be
> compatible with the (as I understand the current situation) the soon  
> to
> be standard PAPE
>
> My company is facing some use cases that imply reconciling or mapping
> SAML Authentication Context and PAPE, so Im concerned about a split  
> here
>
> thanks
>
> paul
>
> Brian Kelly wrote:
>> A few months ago, some members from the OATH community and I got
>> together to take a fresh look at the PAPE spec, what it was trying to
>> accomplish, and how well it could be implemented. We started holding
>> semi-weekly conference calls and over the period of a couple months  
>> we
>> drafted up a slightly new take on PAPE.
>>
>> The main difference is that we defined a specific set of
>> authentication methods, rather than only using high-level policies.
>> After long discussions we found that there was too much ambiguity in
>> the high-level policies as defined today in PAPE. We created a draft
>> of our modified specification, termed PAPE-Authentication Mechanisms
>> (PAPE-AM), and we are beginning to socialize the concepts in that  
>> draft.
>>
>> I published a blog post summarizing our motivations, and wanted to
>> share it with the greater OpenID mailing list.
>>
>> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>>
>> I would appreciate hearing the thoughts of the readers on this  
>> mailing
>> list. Please respond publicly, or feel free to contact me directly.
>>
>> Thank you,
>> Brian
>>
>> --
>> Brian Kelly
>> TrustBearer Labs
>> http://trustbearer.com
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>>
>
> --
> Paul Madsen            e:paulmadsen @ ntt-at.com
> NTT                    p:613-482-0432
>                       m:613-302-1428
>                       aim:PaulMdsn5
>                       web:connectid.blogspot.com
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general



More information about the general mailing list