On 7/9/07, <b class="gmail_sendername">John Panzer</b> <<a href="mailto:jpanzeracm@johnpanzer.com">jpanzeracm@johnpanzer.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
John Wang wrote:<br>> Recently I started considering OpenID authentication for a project. I<br>> watched two screencasts and spoke to a few people to get a general feel<br>> for the project and then jotted down my thoughts here:
<br>><br>> <a href="http://www.dev411.com/blog/2007/07/07/initial-thoughts-on-openid">http://www.dev411.com/blog/2007/07/07/initial-thoughts-on-openid</a><br>><br>> Some of the thoughts are similar to some posts on this list. Please let
<br>> me know where/if I'm wrong. I considered inlining the text but it's kind<br>> of long.<br><br>I saw your blog post earlier today and thought it was interesting. One<br>thing jumped out at me: There's a useful distinction between an OP
<br>which connects an identity to a real world person (as banks do), and an<br>OP which does not but does provide reasonably strong authentication of<br>'online-only' identities. So I'd like to have a 'tier
1.5', where I<br>want e.g. SSL/TLS but I don't need a full 'tier 1' OP assurance. I think<br>this is common.</blockquote><div><br>I agree this is a useful distinction. Thanks for mentioning it. </div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'd also note that an RP may have different assurance needs depending on<br>what it's planning to do. So rather than categorizing RPs, I'd<br>categorize RP operations. An RP should accept the minimal assurance
<br>necessary for its least secure operation (IMHO) and require upgrading as<br>necessary if a user attempts more secure operations.</blockquote><div><br>This sounds good for the specs but I didn't include it because it adds complexity for the article and I'm not sure how "theoretical" this is because I'm not sure how many organizations use this. I remember this coming up when authorization products were starting to get popular but didn't get the feeling that many organizations actually do this. Is this used at any popular sites?
<br></div><br></div>-- <br>John Wang<br><a href="http://www.dev411.com/blog/">http://www.dev411.com/blog/</a>