<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi James,<br>
<br>
Yahoo supports the PAPE extension specifically to mark our assertions
with NIST Auth Level 0, to indicate that Relying Parties should not
Yahoo OpenID assertions to authorize transactions of financial value,
or other high value transactions. We have this documented in our FAQ
here: <br>
<br>
<a class="moz-txt-link-freetext" href="http://developer.yahoo.com/openid/faq.html">http://developer.yahoo.com/openid/faq.html</a><br>
<br>
Thanks,<br>
Allen<br>
<br>
<br>
<br>
<br>
Drummond Reed wrote:
<blockquote cite="mid:079f01c8dc85$771a42f0$4daad44b@ELROND" type="cite">
  <blockquote type="cite">
    <pre wrap="">James Tindall wrote:

Hello all,

I have a quick question that doesn't seem to be covered in the existing
spec docs.

If a user enters 'yahoo.com' the OpenID discovery phase yields this xrds
document:

&lt;XRD&gt;
    &lt;Service priority="0"&gt;
      &lt;Type&gt;<a class="moz-txt-link-freetext" href="http://specs.openid.net/auth/2.0/server">http://specs.openid.net/auth/2.0/server</a>&lt;/Type&gt;
      &lt;Type&gt;<a class="moz-txt-link-freetext" href="http://specs.openid.net/extensions/pape/1.0">http://specs.openid.net/extensions/pape/1.0</a>&lt;/Type&gt;
      &lt;URI&gt;<a class="moz-txt-link-freetext" href="https://open.login.yahooapis.com/openid/op/auth">https://open.login.yahooapis.com/openid/op/auth</a>&lt;/URI&gt;
    &lt;/Service&gt;
&lt;/XRD&gt;

Is a Relying Party to take this as meaning that the Yahoo OpenID server
supports all PAPE policies?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
It depends on what you mean by "supports all PAPE policies"? 

The XRD above simply says that the Yahoo OpenID 2.0 server supports PAPE,
which means the RP can include a PAPE request in their OpenID 2.0
authentication request to the Yahoo OP, and Yahoo will answer the request
saying which policies it did/didn't use for authentication (e.g., was it
phishing-proof or not?)

It doesn't mean that Yahoo has to support all the potential authentication
policies that the PAPE vocabulary includes.

=Drummond 

_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
  </pre>
</blockquote>
<br>
</body>
</html>