[OpenID] Building on the OpenID PAPE specification

Taylor Venable taylor at metasyntax.net
Wed Oct 8 18:22:19 UTC 2008 

On Wed, Oct 08, 2008 at 09:47:07AM -0700, Dick Hardt wrote:
> If your goal is to narrow the number of OPs that can meet an RP's  
> requirements to being OP's that implement a specific technology  
> (yours? :-) -- you are going counter (IMHO) to the objectives of OpenID.

I don't think so; or if this general statement really is the case then
there are other parts of OpenID which must bear this sort of criticism
as well.  SREG has required fields which must be supplied to complete
registration -- if the OP does not provide these then the RP will not
perform the registration.  PAPE states that for an OP which does not
fulfill the RP requirements, "the OpenID login process cannot proceed
due to not meeting policy requirements."  Even moreso than SREG, this
allows RPs to limit available OPs to those which support
authentication via a specific subset of available technologies.
PAPE-AM simply adds more detail and finer controls.  If PAPE-AM is
contrary to the spirit of OpenID, then so are other OpenID extensions
which have already been, or are about to be, approved standards.  With
all due respect to Mr Hardt, this conclusion is slightly absurd.

Furthermore, since a major goal of OpenID is to be a "way to use a
single digital identity across the Internet," obviously it would be
nice to have as many RPs get on board as possible.  Some of these RPs,
such as Microsoft's HealthVault service, want to narrow the list of
providers to those that they can trust will do a sufficiently good job
of authenticating users.  (Actually, to say "narrow" has a negative
connotation; Microsoft is not trying to force certain providers out of
the picture, but they are trying to ensure that ne'er-do-wells cannot
log into their service as other legitimate users.)  I would venture to
say that a number of relying parties, among them government sites and
financial institutions, would be interested in OpenID if they could be
more certain of specific high-quality origins of authentication.

-- 
Taylor Venable            http://real.metasyntax.net:2357/

foldr = lambda f, i, l: (len(l) == 1 and [f(l[0], i)] or
                         [f(l[0], foldr(f, i, l[1:]))])[0]

More information about the general mailing list