[OpenID] Why spoofing and OpenID look so much alike
Allen Tom
atom at yahoo-inc.com
Mon Sep 29 18:53:29 UTC 2008
Peter Williams wrote:
> So I just half read the document, for the first time (that I recall). Its not 'finalized' - so to date I've ignored it.
>
> Regardless, I'll assume Yahoo OP is using it, irrespective of its draft status
Currently, the Yahoo OP only uses the PAPE extension to return
openid.pape.nist_auth_level=0 for all our assertions to indicate to RPs
that the assertion should not be used to authorize transactions of
monetary value. The next version of the PAPE spec will contain new text
which explains appropriate use for NIST level 0.
RPs which require more security than what is offered by NIST Level 0
(aka - a long lived browser cookie) probably would need to have a
business/legal/trust relationship with the OP to ensure that the user is
authenticated in a manner acceptable to the RP.
Allen
More information about the general
mailing list