[security] PAPE Policy for RPs to force authentication without browser cookie
Allen Tom
atom at yahoo-inc.com
Thu Jul 2 17:16:06 UTC 2009
That's why I raised this question. Some RPs that authenticate their
existing users with a password, have existing flows which require a
password-reverification, even if the user is already signed in.
Sites which are trying to upgrade to OpenID need to have equivalent
functionality. So far, there does not seem to be a clear explanation as
to what exactly RPs and OPs are supposed to do.
We should at least have a simple well defined interface for RPs to force
the OP to authenticate the user, regardless of when the user previously
authenticated. Speaking at least for Yahoo, we do have several flows
which require PW verification, and these flows do not care that the user
had entered their PW 30 seconds prior to entering the flow, the user
must unconditionally re-verify their password before entering the flow.
Arguably, this is a poor UX, however, that's just how it is, and it
would not make any sense to re-architect these existing flows to
accommodate OpenID. I can imagine that other RPs would have similar cases.
Allen
John Bradley wrote:
>
> If OP's start creatively interpreting PAPE it will have no value to RPs.
>
More information about the security
mailing list