OSIS PAPE call results

Bradescu, Roxana rbradescu at verisign.com
Tue Nov 6 16:25:47 UTC 2007 

Hi David, that call was actually scheduled on 10/22 based on your
schedule and I thought you were going to let everyone on this list know
about it in case others wanted to participate. Unfortunately it turned
out there was some confusion about the call time to do a DST bug so some
people dialed-in at 12 and some folks dialed in at 1. 

 

It sounds like both meetings were productive but unfortunately I don't
think we have consensus yet. Please see attached email with feedback on
the meeting notes that Mike posted. Since some folks involved in the
discussion cannot participate on this list until IPR policy is
finalized, we decided that we would discuss this on the OSIS-general
alias, especially to the extent that this really impacts
interoperability.

 

Basically I believe the following are still two main issues:

 

1 - Definition of "phishing resistant" and the classification proposed
for the appendix.

2 - Proposal for a different spec to communicate actual auth model used.
We would like to see this in the PAPE spec though potentially optional
(in the spirit of compromise and consensus ;-) To introduce a new spec
is too much overhead and to try to do it in attribute exchange
introduces interop issues, not to mention that attribute spec has not
been finalized yet.

 

So with all that said, I don't agree we are ready for a new draft quite
yet...

 

Regards,

Roxana

 

 

Roxana Bradescu | VeriSign Innovation | office: 650-426-4489 | mobile:
650-576-9262 | rbradescu at verisign.com

 

________________________________

From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of David Recordon
Sent: Monday, November 05, 2007 5:37 AM
To: OpenID specs list
Subject: Fwd: OSIS PAPE call results

 

Hey all,

It turned out that from the OSIS interoperability event in Barcelona a
call was scheduled to discuss PAPE issues from the interop.  I heard
about the call a few minutes before, but Mike, Johnny, and I had a
really productive call.  If no one disagrees, we should get these edits
into the spec and release draft 3.

 

Thanks,

--David

 

Begin forwarded message:





From: Mike Jones <Michael.Jones at microsoft.com>

Date: November 1, 2007 10:04:02 PM GMT+01:00

To: "david at sixapart.com" <david at sixapart.com>, Johnny Bufu <
johnny at sxip.com>, "osis-general at netmesh.org" <osis-general at netmesh.org>

Subject: OSIS PAPE call results

 

Today we held the call discussing OSIS feedback on the PAPE spec.
Topics covered and recommendations made on the call were:

 

- Authorization decisions should be made solely by the relying party.
The identity provider should accurately report the status of all
policies requested by the relying party that the authentication complies
with and may also choose to report the status of any policies that apply
that were not explicitly requested.  The policies are not mutually
exclusive and no relationship between the different policies should be
implied.  A clarification to this effect should be added to the draft.

 

- There was a request for a definition of Active Authentication as used
in the auth_time element description.  Intuitively, this involves at
least having the user being at the machine as a participant in the
authentication interaction in some manner.  We agreed that we should
look for an existing definition of active authentication that appears to
apply.

 

- The table in Appendix A.1.1 of 
http://openid.net/specs/openid-provider-authentication-policy-extension-
1_0-02.html needs to be updated to be consistent with the definition in
Section 4.  Specifically:

            PIN and soft OTP token should not be marked as
phishing-resistant.

            PIN and hard OTP token should not be marked as
phishing-resistant.

            Information Cards should be added and listed as
phishing-resistant.

            Active password managers that only release the password to
the correct site should be listed as phishing-resistant.

 

- If relying parties and OPs want to communicate actual authentication
methods used, that should happen via a different spec than PAPE.  Then
the market can decide whether to use PAPE, this spec, both, or neither.
(However some in the group have both privacy concerns about this and
concerns about enabling attackers by giving them additional information
to use in their attacks.)

 

Finally, while we failed to discuss this on the call, I also believe
that:

            PIN and digital certificate via HTTPS is phishable if the
same certificate value is released to every site.

            PIN and digital certificate via HTTPS is not phishable if a
different certificate value is released to every site.

and that the table should be updated accordingly in this case as well.
Someone who's an expert in this method should pipe in and provide
guidance.

 

                                    Thanks all!

                                    -- Mike

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071106/de2a0f86/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Re   osis-general  OSIS PAPE call results.msg
Type: application/octet-stream
Size: 57344 bytes
Desc: Re   osis-general  OSIS PAPE call results.msg
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071106/de2a0f86/attachment-0002.obj>
-------------- next part --------------
An embedded message was scrubbed...
From: "David Recordon" <drecordon at sixapart.com>
Subject: Re: [osis-general] What is phishing resistance?
Date: Mon, 22 Oct 2007 14:04:04 -0800
Size: 52301
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071106/de2a0f86/attachment-0002.eml>

More information about the specs mailing list