[OpenID] Building on the OpenID PAPE specification
Dick Hardt
dick.hardt at gmail.com
Wed Oct 8 18:23:02 UTC 2008
On 8-Oct-08, at 11:12 AM, Brian Kelly wrote:
> Dick,
>
> I think it would be helpful to define the specific authentication
> methods used as policies within PAPE. We could reduce the number of
> authentication details in the current version of PAPE-AM and come up
> with a list to be included as "authentication method URIs" in PAPE.
> e.g.
>
> PKI algo: http://schemas.openid.net/pape/pki/rsa/1024
> Private key storage: http://schemas.openid.net/pape/pki/hardware-key-nonexportable
> OTP: http://schemas.openid.net/pape/otp/hotp
> Channel Security: http://schemas.openid.net/pape/channel/ssl_ev
I have not seen the latest PAPE spec, but my understanding was that
anyone could create a namespace that defines a policy. Nothing stops
you from creating a namespace you think is important and promoting
people to adopt it.
Ideally PAPE would not define any of the policies, but the reality of
adoption is you need to stick a stake in the ground to get it started.
The mechanism allows OPs and RPs to use whatever makes sense.
>
>
> To your second point, I would argue that not all OPs are created
> equal. I see the OpenID landscape evolving into a variety of
> "security levels" of OPs and RPs. Do I need an OP that requires a
> hardware key to make a comment on a blog? No. But I do see the value
> in having a "high security" OP to login to my bank account and
> transfer money.
I agree with you here wrt. different RPs will require OPs with
different "security levels" -- the objective is to standardize those
levels.
>
>
> The need for more-secure OPs is evident by the lack of RP adoption
> on commerce websites. These websites have more risk when it comes to
> compromised accounts. RPs have the right to discriminate which OPs
> they accept. And giving the RPs a framework with which to judge the
> security of OPs should help _increase_ adoption of OpenID.
Personally, I think more secure OPs is NOT the major barrier to RP
adoption on commerce websites. Usability and protocol security are
more significant in my opinion.
-- Dick
More information about the general
mailing list