[OpenID] Building on the OpenID PAPE specification

Brian Kelly brian.kelly at trustbearer.com
Tue Oct 7 13:39:39 UTC 2008 

Dick,

When we completed the first draft of PAPE-AM, we sent it to the PAPE  
specs working group list for input. It was promptly dismissed since it  
went against the PAPE WG charter, which states that only high-level  
policies should be included in the spec.

At that point the PAPE-AM team decided that it would be a good idea to  
open the discussion up to the broader OpenID community to seek  
guidance on next-steps. I encourage the PAPE WG folks to comment on  
this as well.

To your second point about how the RP should not care about how the  
user was authenticated, I agree that the trust needs to start at the  
OP. The main issue we were trying to address in PAPE-AM is that there  
is too much ambiguity in the high level policies as stated in PAPE  
today. This ambiguity makes it difficult for both OPs and RPs to  
understand what kind of authentication was actually used.

Brian

On Oct 6, 2008, at 7:12 PM, Dick Hardt wrote:

>
> Brian: did you participate in the PAPE spec? That would have been  
> the place to have brought up this issue.
>
> Although I did not participate in the PAPE specification (only so  
> much time) -- I was supportive of the high level policies vs  
> specific technologies. The RP really does not (well, *should* not)   
> care about how the user was authenticated, just about how much  
> certainty the OP has that it is the user. It is the OP making the  
> assertion after all. Keep in mind I can have an OP that says that  
> all the factors were used, even if they were not.
>
> -- Dick
>
>
> On 6-Oct-08, at 2:28 PM, Brian Kelly wrote:
>
>> A few months ago, some members from the OATH community and I got
>> together to take a fresh look at the PAPE spec, what it was trying to
>> accomplish, and how well it could be implemented. We started holding
>> semi-weekly conference calls and over the period of a couple months  
>> we
>> drafted up a slightly new take on PAPE.
>>
>> The main difference is that we defined a specific set of
>> authentication methods, rather than only using high-level policies.
>> After long discussions we found that there was too much ambiguity in
>> the high-level policies as defined today in PAPE. We created a draft
>> of our modified specification, termed PAPE-Authentication Mechanisms
>> (PAPE-AM), and we are beginning to socialize the concepts in that  
>> draft.
>>
>> I published a blog post summarizing our motivations, and wanted to
>> share it with the greater OpenID mailing list.
>>
>> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>>
>> I would appreciate hearing the thoughts of the readers on this  
>> mailing
>> list. Please respond publicly, or feel free to contact me directly.
>>
>> Thank you,
>> Brian
>>
>> --
>> Brian Kelly
>> TrustBearer Labs
>> http://trustbearer.com
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list