[OpenID] Building on the OpenID PAPE specification

Brian Kelly brian.kelly at trustbearer.com
Tue Oct 7 14:26:47 UTC 2008 

Peter / Paul / Nat / Tatsuki:  Thank you for your input on PAPE & PAPE- 
AM.  Here is my condensed reply to the issues raised.

SAML authcontext values: Peter, We haven't yet discussed these to be  
included in PAPE-AM. There is an auth channel security attribute that  
is loosely related to some of the points you raised.

PAPE & PAPE-AM compatibility: Paul, it is too early in socializing the  
PAPE-AM specification to say if parts of it will or will not be  
included in PAPE. I would assume that nothing incompatible would be  
included in the final specification.

OP falsifying information: Peter, this will always be a possibility,  
regardless of any changes to PAPE or the broader OpenID spec. PAPE-AM  
is trying to reduce the ambiguity in PAPE policies so that an OP  
cannot _accidentally_ falsify information about how a user was  
authenticated.

3rd party certified assurance program: Nat, I agree that this is a  
good idea to help RPs decide which OPs to trust. But, this is outside  
the scope of the PAPE/PAPE-AM discussion.

NIST levels: Peter & Tatsuki, I agree that the NIST levels in the  
current PAPE spec are not sufficient in describing authentication  
details. Also, since they are optional, and the focus is placed on the  
policies (phishing-resistant, multi-factor, physical multi-factor),  
there is less of a chance of them being used.

Brian

On Oct 7, 2008, at 2:19 AM, Peter Williams wrote:

> I don't belong in an OpenID WG, and I belong even less in the  
> steering group chartering WGs and issuing standards.
>
> If this was a last call on a non-WG commenting list, the steering  
> group just got non-WG input. It is often frustrating to WG members.
>
> 5. there is no means to authenticate the communication of pape  
> requirements from the "consumer".
>
>
> -----Original Message-----
> From: Tatsuki Sakushima [mailto:tatsuki at nri.com]
> Sent: Monday, October 06, 2008 10:24 PM
> To: Nat
> Cc: Peter Williams; Brian Kelly; general at openid.net
> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>
>> BTW, NIST levels are not particulary useful in OpenID AuthN 2.0 per
>> se. It needs to be coupled with other extensions to support the
>> digital signature requirement for indirect communications.
>
> I proposed adding a digital signature feature into PAPE in the WG, but
> it was rejected because of the same reason as PAPE-AM, it is out of
> scope in the current charter. Welcoming more people who are interested
> in improving PAPE is a good thing. However rule is rule. If the scope
> doesn't aim that, we can do any improvement. I won't against the  
> current
> spec, if most of members in the WG really want to release it as it is.
> But I don't think it is sufficient to handle "NIST levels"  
> information.
> Since PAPE is transformed to target NIST levels(it used to be for only
> authentication methods as far as I know.), the purpose of the scope in
> the charter could be revisited and redefined.
>
> Or launching a new WG to add features which supports PAPE is another
> idea. My question is which is better to support implementors. If some
> feature is always used together, they should be in the same spec.
>
> Tatsuki Sakushima
> NRI Pacific - Nomura Research Institute America, Inc.
>
> Nat ????????:
>> In addition, a third party certified assurance program is needed.
>>
>> BTW, NIST levels are not particulary useful in OpenID AuthN 2.0 per
>> se. It needs to be coupled with other extensions to support the
>> digital signature requirement for indirect communications.
>>
>> =nat at TOKYO via iPhone
>>
>> On 2008/10/07, at 8:41, Peter Williams <pwilliams at rapattoni.com>  
>> wrote:
>>
>>> This is a general list vs a working group (where I don't belong).
>>> But, even so, we have heard 4 comments on pape:
>>>
>>> An op can lie and be conforming
>>>
>>> The nist levels do not satisfy the business needs of at least 1 mega
>>> op
>>>
>>> A nist level plus the inherently low assurance nature of openidauth
>>> protocol adds up to little (if anything), to those trained in
>>> information assurance doctrine
>>>
>>> Higher assurance ops need the means to signal details to the rp, so
>>> that the details would influence the rp (which presumes a conforming
>>> op is not lying).
>>>
>>> -----Original Message-----
>>> From: Paul Madsen <paulmadsen at rogers.com>
>>> Sent: Monday, October 06, 2008 3:26 PM
>>> To: Brian Kelly <brian.kelly at trustbearer.com>
>>> Cc: general at openid.net <general at openid.net>
>>> Subject: Re: [OpenID] Building on the OpenID PAPE specification
>>>
>>>
>>> Hi Brian, do you have any thoughts on how PAPE-AM will, or wont, be
>>> compatible with the (as I understand the current situation) the soon
>>> to
>>> be standard PAPE
>>>
>>> My company is facing some use cases that imply reconciling or  
>>> mapping
>>> SAML Authentication Context and PAPE, so Im concerned about a split
>>> here
>>>
>>> thanks
>>>
>>> paul
>>>
>>> Brian Kelly wrote:
>>>> A few months ago, some members from the OATH community and I got
>>>> together to take a fresh look at the PAPE spec, what it was  
>>>> trying to
>>>> accomplish, and how well it could be implemented. We started  
>>>> holding
>>>> semi-weekly conference calls and over the period of a couple months
>>>> we
>>>> drafted up a slightly new take on PAPE.
>>>>
>>>> The main difference is that we defined a specific set of
>>>> authentication methods, rather than only using high-level policies.
>>>> After long discussions we found that there was too much ambiguity  
>>>> in
>>>> the high-level policies as defined today in PAPE. We created a  
>>>> draft
>>>> of our modified specification, termed PAPE-Authentication  
>>>> Mechanisms
>>>> (PAPE-AM), and we are beginning to socialize the concepts in that
>>>> draft.
>>>>
>>>> I published a blog post summarizing our motivations, and wanted to
>>>> share it with the greater OpenID mailing list.
>>>>
>>>> http://openidtrustbearer.wordpress.com/2008/10/06/building-on-the-openid-pape-specification/
>>>>
>>>> I would appreciate hearing the thoughts of the readers on this
>>>> mailing
>>>> list. Please respond publicly, or feel free to contact me directly.
>>>>
>>>> Thank you,
>>>> Brian
>>>>
>>>> --
>>>> Brian Kelly
>>>> TrustBearer Labs
>>>> http://trustbearer.com
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>>
>>>>
>>> --
>>> Paul Madsen            e:paulmadsen @ ntt-at.com
>>> NTT                    p:613-482-0432
>>>                      m:613-302-1428
>>>                      aim:PaulMdsn5
>>>                      web:connectid.blogspot.com
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>

More information about the general mailing list