[OpenID] Why spoofing and OpenID look so much alike
Paul Madsen
paulmadsen at rogers.com
Mon Sep 29 19:11:45 UTC 2008
Allen, in PAPE Level 0 means "didnt meet the requirements of NIST Level
1", i.e. its a PAPE policy URI and doesn't correspond to any of the 4
NIST levels
Are you suggesting that the next version of PAPE will extend the 4 NIST
levels 'downwards', i.e. specify policies and procedures for a new level
comparable to what NIST 800 63 does? as well as cite what is the
appropriate risk profile for apps for which the new level would be
appropriate (comparable to OMB m04-040)?
thanks
paul
Allen Tom wrote:
> Peter Williams wrote:
>
>> So I just half read the document, for the first time (that I recall). Its not 'finalized' - so to date I've ignored it.
>>
>> Regardless, I'll assume Yahoo OP is using it, irrespective of its draft status
>>
>
> Currently, the Yahoo OP only uses the PAPE extension to return
> openid.pape.nist_auth_level=0 for all our assertions to indicate to RPs
> that the assertion should not be used to authorize transactions of
> monetary value. The next version of the PAPE spec will contain new text
> which explains appropriate use for NIST level 0.
>
> RPs which require more security than what is offered by NIST Level 0
> (aka - a long lived browser cookie) probably would need to have a
> business/legal/trust relationship with the OP to ensure that the user is
> authenticated in a manner acceptable to the RP.
>
> Allen
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
Paul Madsen e:paulmadsen @ ntt-at.com
NTT p:613-482-0432
m:613-302-1428
aim:PaulMdsn5
web:connectid.blogspot.com
More information about the general
mailing list