[OpenID] Building on the OpenID PAPE specification

Peter Williams pwilliams at rapattoni.com
Tue Oct 7 06:19:44 UTC 2008 

I don't belong in an OpenID WG, and I belong even less in the steering group chartering WGs and issuing standards.

If this was a last call on a non-WG commenting list, the steering group just got non-WG input. It is often frustrating to WG members.

5. there is no means to authenticate the communication of pape requirements from the "consumer".


-----Original Message-----
From: Tatsuki Sakushima [mailto:tatsuki at nri.com]
Sent: Monday, October 06, 2008 10:24 PM
To: Nat
Cc: Peter Williams; Brian Kelly; general at openid.net
Subject: Re: [OpenID] Building on the OpenID PAPE specification

> BTW, NIST levels are not particulary useful in OpenID AuthN 2.0 per
> se. It needs to be coupled with other extensions to support the
> digital signature requirement for indirect communications.

I proposed adding a digital signature feature into PAPE in the WG, but
it was rejected because of the same reason as PAPE-AM, it is out of
scope in the current charter. Welcoming more people who are interested
in improving PAPE is a good thing. However rule is rule. If the scope
doesn't aim that, we can do any improvement. I won't against the current
spec, if most of members in the WG really want to release it as it is.
But I don't think it is sufficient to handle "NIST levels" information.
Since PAPE is transformed to target NIST levels(it used to be for only
authentication methods as far as I know.), the purpose of the scope in
the charter could be revisited and redefined.

Or launching a new WG to add features which supports PAPE is another
idea. My question is which is better to support implementors. If some
feature is always used together, they should be in the same spec.

Tatsuki Sakushima
NRI Pacific - Nomura Research Institute America, Inc.

Nat ????????:
> In addition, a third party certified assurance program is needed.
>
> BTW, NIST levels are not particulary useful in OpenID AuthN 2.0 per
> se. It needs to be coupled with other extensions to support the
> digital signature requirement for indirect communications.
>
> =nat at TOKYO via iPhone
>
> On 2008/10/07, at 8:41, Peter Williams <pwilliams at rapattoni.com> wrote:
>
>> This is a general list vs a working group (where I don't belong).
>> But, even so, we have heard 4 comments on pape:
>>
>> An op can lie and be conforming
>>
>> The nist levels do not satisfy the business needs of at least 1 mega
>> op
>>
>> A nist level plus the inherently low assurance nature of openidauth
>> protocol adds up to little (if anything), to those trained in
>> information assurance doctrine
>>
>> Higher assurance ops need the means to signal details to the rp, so
>> that the details would influence the rp (which presumes a conforming
>> op is not lying).
>>
>> -----Original Message-----
>> From: Paul Madsen <paulmadsen at rogers.com>
>> Sent: Monday, October 06, 2008 3:26 PM
>> To: Brian Kelly <brian.kelly at trustbearer.com>
>> Cc: general at openid.net <general at openid.net>
>> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>>
>>
>> Hi Brian, do you have any thoughts on how PAPE-AM will, or wont, be
>> compatible with the (as I understand the current situation) the soon
>> to
>> be standard PAPE
>>
>> My company is facing some use cases that imply reconciling or mapping
>> SAML Authentication Context and PAPE, so Im concerned about a split
>> here
>>
>> thanks
>>
>> paul
>>
>> Brian Kelly wrote:
>>> A few months ago, some members from the OATH community and I got
>>> together to take a fresh look at the PAPE spec, what it was trying to
>>> accomplish, and how well it could be implemented. We started holding
>>> semi-weekly conference calls and over the period of a couple months
>>> we
>>> drafted up a slightly new take on PAPE.
>>>
>>> The main difference is that we defined a specific set of
>>> authentication methods, rather than only using high-level policies.
>>> After long discussions we found that there was too much ambiguity in
>>> the high-level policies as defined today in PAPE. We created a draft
>>> of our modified specification, termed PAPE-Authentication Mechanisms
>>> (PAPE-AM), and we are beginning to socialize the concepts in that
>>> draft.
>>>
>>> I published a blog post summarizing our motivations, and wanted to
>>> share it with the greater OpenID mailing list.
>>>
>>> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>>>
>>> I would appreciate hearing the thoughts of the readers on this
>>> mailing
>>> list. Please respond publicly, or feel free to contact me directly.
>>>
>>> Thank you,
>>> Brian
>>>
>>> --
>>> Brian Kelly
>>> TrustBearer Labs
>>> http://trustbearer.com
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>>
>> --
>> Paul Madsen            e:paulmadsen @ ntt-at.com
>> NTT                    p:613-482-0432
>>                       m:613-302-1428
>>                       aim:PaulMdsn5
>>                       web:connectid.blogspot.com
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list