[OpenID] Building on the OpenID PAPE specification
Peter Williams
pwilliams at rapattoni.com
Thu Oct 9 09:58:02 UTC 2008
I read it as saying
NIST ns is mandatory for 1.1, optional for 2.0.
There is inconsistency in the use of terms. At some points the text is specifying controls about authentication "policies", authentication "levels" (section 1.2) in others.
Or, it's actually correct. In that case, I don't understand some obviously very, very important subtlety. Given I'm pretty typically very dumb about web2.0 security models (which as a journalist once lectured me is all about "identity" not security) this would not be particularly surprising. Perhaps we are seeing a good example of how specifically identity2.0 semantics are being crafted - in a way that is subtly different to SAML's authnReq equivalents.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of David Recordon
Sent: Thursday, October 09, 2008 1:13 AM
To: Dick Hardt
Cc: OpenID List
Subject: Re: [OpenID] Building on the OpenID PAPE specification
Hey Dick,
The current draft of the PAPE spec is at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html
and as you said allows anyone to define policy URLs.
--David
On Oct 8, 2008, at 7:23 PM, Dick Hardt wrote:
>
> On 8-Oct-08, at 11:12 AM, Brian Kelly wrote:
>
>> Dick,
>>
>> I think it would be helpful to define the specific authentication
>> methods used as policies within PAPE. We could reduce the number of
>> authentication details in the current version of PAPE-AM and come up
>> with a list to be included as "authentication method URIs" in PAPE.
>> e.g.
>>
>> PKI algo: http://schemas.openid.net/pape/pki/rsa/1024
>> Private key storage: http://schemas.openid.net/pape/pki/hardware-key-nonexportable
>> OTP: http://schemas.openid.net/pape/otp/hotp
>> Channel Security: http://schemas.openid.net/pape/channel/ssl_ev
>
> I have not seen the latest PAPE spec, but my understanding was that
> anyone could create a namespace that defines a policy. Nothing stops
> you from creating a namespace you think is important and promoting
> people to adopt it.
>
> Ideally PAPE would not define any of the policies, but the reality of
> adoption is you need to stick a stake in the ground to get it started.
> The mechanism allows OPs and RPs to use whatever makes sense.
>
>>
>>
>> To your second point, I would argue that not all OPs are created
>> equal. I see the OpenID landscape evolving into a variety of
>> "security levels" of OPs and RPs. Do I need an OP that requires a
>> hardware key to make a comment on a blog? No. But I do see the value
>> in having a "high security" OP to login to my bank account and
>> transfer money.
>
> I agree with you here wrt. different RPs will require OPs with
> different "security levels" -- the objective is to standardize those
> levels.
>
>>
>>
>> The need for more-secure OPs is evident by the lack of RP adoption
>> on commerce websites. These websites have more risk when it comes to
>> compromised accounts. RPs have the right to discriminate which OPs
>> they accept. And giving the RPs a framework with which to judge the
>> security of OPs should help _increase_ adoption of OpenID.
>
>
> Personally, I think more secure OPs is NOT the major barrier to RP
> adoption on commerce websites. Usability and protocol security are
> more significant in my opinion.
>
> -- Dick
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list