[OpenID] Building on the OpenID PAPE specification

David Recordon drecordon at sixapart.com
Thu Oct 9 08:12:51 UTC 2008 

Hey Dick,
The current draft of the PAPE spec is at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html 
  and as you said allows anyone to define policy URLs.

--David

On Oct 8, 2008, at 7:23 PM, Dick Hardt wrote:

>
> On 8-Oct-08, at 11:12 AM, Brian Kelly wrote:
>
>> Dick,
>>
>> I think it would be helpful to define the specific authentication
>> methods used as policies within PAPE. We could reduce the number of
>> authentication details in the current version of PAPE-AM and come up
>> with a list to be included as "authentication method URIs" in PAPE.
>> e.g.
>>
>> PKI algo: http://schemas.openid.net/pape/pki/rsa/1024
>> Private key storage: http://schemas.openid.net/pape/pki/hardware-key-nonexportable
>> OTP: http://schemas.openid.net/pape/otp/hotp
>> Channel Security: http://schemas.openid.net/pape/channel/ssl_ev
>
> I have not seen the latest PAPE spec, but my understanding was that
> anyone could create a namespace that defines a policy. Nothing stops
> you from creating a namespace you think is important and promoting
> people to adopt it.
>
> Ideally PAPE would not define any of the policies, but the reality of
> adoption is you need to stick a stake in the ground to get it started.
> The mechanism allows OPs and RPs to use whatever makes sense.
>
>>
>>
>> To your second point, I would argue that not all OPs are created
>> equal. I see the OpenID landscape evolving into a variety of
>> "security levels" of OPs and RPs. Do I need an OP that requires a
>> hardware key to make a comment on a blog? No. But I do see the value
>> in having a "high security" OP to login to my bank account and
>> transfer money.
>
> I agree with you here wrt. different RPs will require OPs with
> different "security levels" -- the objective is to standardize those
> levels.
>
>>
>>
>> The need for more-secure OPs is evident by the lack of RP adoption
>> on commerce websites. These websites have more risk when it comes to
>> compromised accounts. RPs have the right to discriminate which OPs
>> they accept. And giving the RPs a framework with which to judge the
>> security of OPs should help _increase_ adoption of OpenID.
>
>
> Personally, I think more secure OPs is NOT the major barrier to RP
> adoption on commerce websites.  Usability and protocol security are
> more significant in my opinion.
>
> -- Dick
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list