[OpenID] Assertion Quality Extension => openid.importance
Martin Atkins
mart at degeneration.co.uk
Wed Dec 13 10:16:48 UTC 2006
Manger, James H wrote:
> A related hassle is that when my OP supports a new authentication method (such as a strong password-authenticated key agreement scheme (eg SRP)), existing RPs will not recognize this method as strong enough for the RP’s expectations – regardless of the method’s actual strength.
Consider also that non-human agents can often be both the OP and the
"user" at the same time (they specify a URL under their own control as
the OP, generate their own signature and respond) and in this case the
OP knows that the user is the user without any shadow of a doubt because
it *is* the user. However, this scenario would fail in any situation
where a particular authentication scheme is demanded because there is
*no* traditional authentication in this scenario.
However, if the RP instead presents (for example) a list of keywords
identifying (in vague terms) what is at stake:
transaction_involves=money+personal_details
...my non-human agent can pick up that it's being used for something for
which it is not intended and refuse to take part. My traditional OP, on
the other hand, can present me with a set of options (with reasonable
defaults) for what to do in the presence of these keywords so that
anything involving money can force a re-authentication (again, for example).
Whether a list of keywords is the way to go remains to be seen, but I
believe this is the most sensible approach in principle.
More information about the specs
mailing list