[OpenID] Why spoofing and OpenID look so much alike

Paul Madsen paulmadsen at rogers.com
Mon Sep 29 20:59:21 UTC 2008 

Thanks Allen, while I see the value of such a authentication policy 
(SAML called it 'previous session) I'd suggest that labeling it with 
'NIST' might confuse.

Current PAPE makes it clear that, wrt NIST, it's not defining any new 
policy or technology requirements. But this sounds different.

regards

paul

Allen Tom wrote:
> Hi Paul,
>
> The next version of the PAPE spec will include a couple sentences 
> describing NIST Level 0, which AFAIK is a new level that is only 
> defined in the PAPE spec. OPs which authenticate users based on a long 
> lived browser cookie do not meet the requirements of NIST Level 1, and 
> PAPE defines a way for these OPs label their assertions as NIST Level 0.
>
> Consumer grade OPs, such as Yahoo, may choose to authenticate users 
> based on long lived browser cookies, and will generate OpenID 
> assertions without re-prompting for the user's password if the user 
> has already authenticated with the OP. While this level of security 
> may be sufficient for free services, it's definitely not appropriate 
> to authorize any transaction of monetary value.
>
> Allen
>
>
> Paul Madsen wrote:
>> Allen, in PAPE Level 0 means "didnt meet the requirements of NIST 
>> Level 1", i.e. its a PAPE policy URI and doesn't correspond to any of 
>> the 4 NIST levels
>>
>> Are you suggesting that the next version of PAPE will extend the 4 
>> NIST levels 'downwards', i.e. specify policies and procedures for a 
>> new level comparable to what NIST 800 63 does? as well as cite what 
>> is the appropriate risk profile for apps for which the new level 
>> would be appropriate (comparable to OMB m04-040)?
>>
>> thanks
>>
>> paul
>>
>> Allen Tom wrote:
>>> Peter Williams wrote:
>>>  
>>>> So I just half read the document, for the first time (that I 
>>>> recall). Its not 'finalized' - so to date I've ignored it.
>>>>
>>>> Regardless, I'll assume Yahoo OP is using it, irrespective of its 
>>>> draft status
>>>>     
>>>
>>> Currently, the Yahoo OP only uses the PAPE extension to return 
>>> openid.pape.nist_auth_level=0 for all our assertions to indicate to 
>>> RPs that the assertion should not be used to authorize transactions 
>>> of monetary value. The next version of the PAPE spec will contain 
>>> new text which explains appropriate use for  NIST level 0.
>>>
>>> RPs which require more security than what is offered by NIST Level 0 
>>> (aka - a long lived browser cookie) probably would need to have a 
>>> business/legal/trust relationship with the OP to ensure that the 
>>> user is authenticated in a manner acceptable to the RP.
>>>
>>> Allen
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>>   
>>
>
>
>

-- 
Paul Madsen            e:paulmadsen @ ntt-at.com
NTT                    p:613-482-0432
                       m:613-302-1428
                       aim:PaulMdsn5
                       web:connectid.blogspot.com

More information about the general mailing list