Fwd: OSIS PAPE call results

[David Recordon]

Hey all,
It turned out that from the OSIS interoperability event in Barcelona a  
call was scheduled to discuss PAPE issues from the interop.  I heard  
about the call a few minutes before, but Mike, Johnny, and I had a  
really productive call.  If no one disagrees, we should get these  
edits into the spec and release draft 3.

Thanks,
--David

Begin forwarded message:

> From: Mike Jones <Michael.Jones at microsoft.com>
> Date: November 1, 2007 10:04:02 PM GMT+01:00
> To: "david at sixapart.com" <david at sixapart.com>, Johnny Bufu <johnny at sxip.com 
> >, "osis-general at netmesh.org" <osis-general at netmesh.org>
> Subject: OSIS PAPE call results
>
> Today we held the call discussing OSIS feedback on the PAPE spec.   
> Topics covered and recommendations made on the call were:
>
> - Authorization decisions should be made solely by the relying  
> party.  The identity provider should accurately report the status of  
> all policies requested by the relying party that the authentication  
> complies with and may also choose to report the status of any  
> policies that apply that were not explicitly requested.  The  
> policies are not mutually exclusive and no relationship between the  
> different policies should be implied.  A clarification to this  
> effect should be added to the draft.
>
> - There was a request for a definition of Active Authentication as  
> used in the auth_time element description.  Intuitively, this  
> involves at least having the user being at the machine as a  
> participant in the authentication interaction in some manner.  We  
> agreed that we should look for an existing definition of active  
> authentication that appears to apply.
>
> - The table in Appendix A.1.1 of http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html 
>  needs to be updated to be consistent with the definition in Section  
> 4.  Specifically:
>             PIN and soft OTP token should not be marked as phishing- 
> resistant.
>             PIN and hard OTP token should not be marked as phishing- 
> resistant.
>             Information Cards should be added and listed as phishing- 
> resistant.
>             Active password managers that only release the password  
> to the correct site should be listed as phishing-resistant.
>
> - If relying parties and OPs want to communicate actual  
> authentication methods used, that should happen via a different spec  
> than PAPE.  Then the market can decide whether to use PAPE, this  
> spec, both, or neither.  (However some in the group have both  
> privacy concerns about this and concerns about enabling attackers by  
> giving them additional information to use in their attacks.)
>
> Finally, while we failed to discuss this on the call, I also believe  
> that:
>             PIN and digital certificate via HTTPS is phishable if  
> the same certificate value is released to every site.
>             PIN and digital certificate via HTTPS is not phishable  
> if a different certificate value is released to every site.
> and that the table should be updated accordingly in this case as  
> well.  Someone who's an expert in this method should pipe in and  
> provide guidance.
>
>                                     Thanks all!
>                                     -- Mike
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071105/32522841/attachment-0001.htm>