[OpenID] Why spoofing and OpenID look so much alike

Allen Tom atom at yahoo-inc.com
Mon Sep 29 20:50:35 UTC 2008 

Hi Paul,

The next version of the PAPE spec will include a couple sentences 
describing NIST Level 0, which AFAIK is a new level that is only defined 
in the PAPE spec. OPs which authenticate users based on a long lived 
browser cookie do not meet the requirements of NIST Level 1, and PAPE 
defines a way for these OPs label their assertions as NIST Level 0.

Consumer grade OPs, such as Yahoo, may choose to authenticate users 
based on long lived browser cookies, and will generate OpenID assertions 
without re-prompting for the user's password if the user has already 
authenticated with the OP. While this level of security may be 
sufficient for free services, it's definitely not appropriate to 
authorize any transaction of monetary value.

Allen


Paul Madsen wrote:
> Allen, in PAPE Level 0 means "didnt meet the requirements of NIST 
> Level 1", i.e. its a PAPE policy URI and doesn't correspond to any of 
> the 4 NIST levels
>
> Are you suggesting that the next version of PAPE will extend the 4 
> NIST levels 'downwards', i.e. specify policies and procedures for a 
> new level comparable to what NIST 800 63 does? as well as cite what is 
> the appropriate risk profile for apps for which the new level would be 
> appropriate (comparable to OMB m04-040)?
>
> thanks
>
> paul
>
> Allen Tom wrote:
>> Peter Williams wrote:
>>  
>>> So I just half read the document, for the first time (that I 
>>> recall). Its not 'finalized' - so to date I've ignored it.
>>>
>>> Regardless, I'll assume Yahoo OP is using it, irrespective of its 
>>> draft status
>>>     
>>
>> Currently, the Yahoo OP only uses the PAPE extension to return 
>> openid.pape.nist_auth_level=0 for all our assertions to indicate to 
>> RPs that the assertion should not be used to authorize transactions 
>> of monetary value. The next version of the PAPE spec will contain new 
>> text which explains appropriate use for  NIST level 0.
>>
>> RPs which require more security than what is offered by NIST Level 0 
>> (aka - a long lived browser cookie) probably would need to have a 
>> business/legal/trust relationship with the OP to ensure that the user 
>> is authenticated in a manner acceptable to the RP.
>>
>> Allen
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>>   
>

More information about the general mailing list