[OpenID] PAPE Specification Review Period Commencing

Peter Williams pwilliams at rapattoni.com
Wed Oct 22 20:10:08 UTC 2008


Authentication Policy:
An Authentication Policy is a plain-text description of requirements that dictate which Authentication Methods can be used by an End User when authenticating to their OpenID Provider. An Authentication Policy is defined by a URI which must be previously agreed upon by one or more OPs and RPs.


I'd still call attention to the MUST BE PREVIOUSLY AGREED.

I don't see why it has to be so restrictive ; one could be legitimately making a "dynamic" agreement, consistent with the UCI component of OpenID. This agreement might be delivered using something as simple as some URI extension in the OP's server cert. Rely on that cert as an consumer (and a certificate "user", formally), one henceforth has under the relying party agreement with the CA an agreement ...that URI U denotes Authentication Policy P.

Of course, since reliance on the PKI in https probably happens "PREVIOUS" to reliance on the OpenID PAPE extensions, its already complying with the MUST BE PREVIOUSLY AGREED". But that hardly in the spirit of the story the words tell, to a normal reader.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/8f1320b2/attachment-0002.htm>


More information about the general mailing list