<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
h1
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:16.0pt;
font-family:Arial;
font-weight:bold;}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:14.0pt;
font-family:Arial;
font-weight:bold;
font-style:italic;}
h3
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:12.0pt;
font-family:Arial;
font-weight:bold;}
h4
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-after:avoid;
font-size:10.0pt;
font-family:"Times New Roman";
font-weight:bold;
font-style:italic;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoFooter, li.MsoFooter, div.MsoFooter
{margin:0in;
margin-bottom:.0001pt;
border:none;
padding:0in;
font-size:10.0pt;
font-family:Arial;}
p.MsoTitle, li.MsoTitle, div.MsoTitle
{margin-top:0in;
margin-right:0in;
margin-bottom:9.0pt;
margin-left:0in;
text-align:center;
font-size:16.0pt;
font-family:Arial;
font-weight:bold;}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoSubtitle, li.MsoSubtitle, div.MsoSubtitle
{margin-top:0in;
margin-right:0in;
margin-bottom:.25in;
margin-left:0in;
text-align:center;
font-size:12.0pt;
font-family:Arial;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
p.Quote, li.Quote, div.Quote
{margin-top:0in;
margin-right:.5in;
margin-bottom:6.0pt;
margin-left:.5in;
font-size:12.0pt;
font-family:"Times New Roman";
font-style:italic;}
p.Wiki, li.Wiki, div.Wiki
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.Graphic, li.Graphic, div.Graphic
{margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
font-size:10.0pt;
font-family:Arial;
font-style:italic;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
/* Page Definitions */
@page
{mso-endnote-separator:url("cid:header.htm\@01C714A9.04346680") es;
mso-endnote-continuation-separator:url("cid:header.htm\@01C714A9.04346680") ecs;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:-132;
mso-list-type:simple;
mso-list-template-ids:-1328661930;}
@list l0:level1
{mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l1
{mso-list-id:-131;
mso-list-type:simple;
mso-list-template-ids:-909054546;}
@list l1:level1
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;}
@list l2
{mso-list-id:-130;
mso-list-type:simple;
mso-list-template-ids:531935922;}
@list l2:level1
{mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l3
{mso-list-id:-129;
mso-list-type:simple;
mso-list-template-ids:2046339550;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:-128;
mso-list-type:simple;
mso-list-template-ids:82112870;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l5
{mso-list-id:-127;
mso-list-type:simple;
mso-list-template-ids:-1405587484;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l6
{mso-list-id:-126;
mso-list-type:simple;
mso-list-template-ids:828961842;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l7
{mso-list-id:-125;
mso-list-type:simple;
mso-list-template-ids:1053828088;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8
{mso-list-id:-120;
mso-list-type:simple;
mso-list-template-ids:-2021464228;}
@list l8:level1
{mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;}
@list l9
{mso-list-id:-119;
mso-list-type:simple;
mso-list-template-ids:445916746;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.25in;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=blue style='word-wrap: break-word;-khtml-nbsp-mode: space;
-khtml-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Avery,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Paul’s the one to weigh in on this
option – he wrote (and lived) the book on SAML AuthN Context. But I do
like the looks of what you proposed – seems very elegant.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>=Drummond <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
general-bounces@openid.net [mailto:general-bounces@openid.net] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Avery Glasser<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, November 30, 2006
2:22 PM<br>
<b><span style='font-weight:bold'>To:</span></b> George Fletcher<br>
<b><span style='font-weight:bold'>Cc:</span></b> specs@openid.net;
general@openid.net<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [OpenID] OpenID
Assertion Quality Extension - Draft</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Just to weigh in here...<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Paul Madsen wrote: <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Hi George, for your use case below, why would not the RP just ask for
the user to be up-authenticated at the desired higher level when necessary? <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Helvetica><span style='font-size:12.0pt;
font-family:Helvetica'>So in the draft... how does the RP ask for the user to
be "up-authenticated"? The authentication request parameters do not
in any way indicate a previous authentication, and the extension parameters
also don't include any way to indicate a previous authentication. That is what
I really meant by the authentications being "standalone". The RP may
relate the two authentications in some way because it requested both. Maybe
that's good enough.</span></font><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Basically, you would require the second method with a max_age of
"0" - which, assuming the RP honors the request, would tell the RP to
re-authenticate the user with the requested method. <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'
cite="mid456F3223.8090600@rogers.com" type=cite>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Are you asking whether the RP should be allowed to ask the user to re-present
their URI in order for this to happen? And thereby effectively treating each
event as disconnected/standalone? <o:p></o:p></span></font></p>
</blockquote>
<p class=MsoNormal><font size=3 face=Helvetica><span style='font-size:12.0pt;
font-family:Helvetica'>Ideally, the user would not be able to change their URI
when being re-challenged based on max_auth_age but I guess the RP should make
sure to code for that edge case.</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Agreed - it's the RPs choice.<o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'
cite="mid456F3223.8090600@rogers.com" type=cite>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Wrt combinations, I know from experience that the alternative to allowing for
RPs to specify combinations is a combinatorial explosion in the number of
mechanism identifiers. <o:p></o:p></span></font></p>
</blockquote>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3 face=Helvetica><span
style='font-size:12.0pt;font-family:Helvetica'>I agree that the combinations
can explode... but they are also useful. For example to hack my account you
need both my "password" and my "hardotp". That's two
"secrets" that need to be determined for my account to be
compromised. (Not that this doesn't stop phishers).</span></font><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Actually, this could be pretty simple to implement:<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Replace openid.aqe.preferred_auth_mode with the following:<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><span class=apple-tab-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'> </span></font></span><span
class=apple-style-span><font size=1 face=Verdana><span style='font-size:6.5pt;
font-family:Verdana'>openid.aqe.auth_factor1</span></font></span><o:p></o:p></p>
</div>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Optional: The method of
authentication the RP would like the OP to perform, or in the case of a
multi-factor authentication, the first method that the RP would like the OP to
perform. The mode should match one of the advertised values in the XRDS. If
this is not specified, then any authentication method is acceptable.</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Value: Comma-delimited list of
"none", "password", "pin", "fingerbio",
"handbio", "hardotp", "irisbio",
"otherbio", "smartcard", "softotp",
"voicebio"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Note: The OP should attempt to
authenticate the user with the most secure mode requested. For example, if the
OP has determined that their voicebio method is stronger than their password
method and the RP requests either "voicebio or password", the OP
should strive to authenticate the user by "voicebio" when possible.
If the two modes are considered equally strong, then it is the choice of the OP
regarding which one or ones to authenticate against. OPs should note that
authenticating a user by a non-preferred method may result in an RP denying
access.</span></font></span><o:p></o:p></p>
<div>
<p class=MsoNormal><span class=apple-tab-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'> </span></font></span><span
class=apple-style-span><font size=1 face=Verdana><span style='font-size:6.5pt;
font-family:Verdana'>openid.aqe.auth_factor2</span></font></span><o:p></o:p></p>
</div>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Optional: In the case of a
multi-factor authentication, the second method that the RP would like the OP to
perform. The mode should match one of the advertised values in the XRDS. If
this is not specified, then any authentication method is acceptable. If this is
not specified, it is assumed that the RP is requesting only a single factor for
authentication. The OP will not use the same method for this factor as was used
in any previous factors. For example, if the first factor is a password, the
second factor cannot also be a password.</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Value: Comma-delimited list of
"none", "password", "pin", "fingerbio",
"handbio", "hardotp", "irisbio",
"otherbio", "smartcard", "softotp",
"voicebio"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>Note: The OP should attempt to
authenticate the user with the most secure mode requested. For example, if the
OP has determined that their voicebio method is stronger than their password
method and the RP requests either "voicebio or password", the OP should
strive to authenticate the user by "voicebio" when possible. If the
two modes are considered equally strong, then it is the choice of the OP
regarding which one or ones to authenticate against. OPs should note that
authenticating a user by a non-preferred method may result in an RP denying
access.</span></font></span><o:p></o:p></p>
<div>
<p class=MsoNormal><span class=apple-tab-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'> </span></font></span><span
class=apple-style-span><font size=1 face=Verdana><span style='font-size:6.5pt;
font-family:Verdana'>openid.aqe.auth_factor3</span></font></span><o:p></o:p></p>
</div>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>... you can figure how it would
continue. There are very few use cases that would use more than two factors.</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>So, in this case, if you want the
user to authenticate with two factors, first with a password and second with a
securID or voice biometric print...</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor1 =
"password"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor2 =
"hardotp", "voicebio"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>conversely, if you want two
factors, which could be any combination of password, hardotp or voicebio in any
combination:</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor1 =
"hardotp", "voicebio", "password"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor2 =
"hardotp", "voicebio", "password"</span></font></span><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>the response from the OP, assuming that it followed the request from
the RP would look like<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor1 =
"password"</span></font></span><o:p></o:p></p>
<p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.5pt;
margin-left:13.0pt'><span class=apple-style-span><font size=1 face=Verdana><span
style='font-size:6.5pt;font-family:Verdana'>openid.aqe.auth_factor2 =
"hardotp"</span></font></span><o:p></o:p></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I would think that this is clear enough that we could make the small
change to the spec to allow for this type of methodology. <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Thoughts?<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>- Avery<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face=Helvetica><span style='font-size:12.0pt;
font-family:Helvetica'>Thanks,<br>
George<br>
</span></font><br>
<br>
<o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Paul <br>
<br>
George Fletcher wrote: <br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>+1 simple and straight
forward <br>
<br>
Just curious about uses cases where the required authentication level changes
over time. For instance, a use case where to view my stock portfolio just
requires "password", but doing a trade requires "voicebio".
Is the expectation that authentication events can be treated as
"standalone"? or that it's the RP's responsibility to manage the
combinations based on the identifier? <br>
<br>
One final question... Is it valuable to provide a way to request two or more
authentication methods be employed in the authentication event? For example,
administrators of a site must use both "password" and
"hardotp". Everyone else just needs "password". <br>
<br>
Thanks, <br>
George <br>
<br>
<br>
_______________________________________________ <br>
general mailing list <br>
<a href="mailto:general@openid.net">general@openid.net</a> <br>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>_______________________________________________<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>general mailing list<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><a href="mailto:general@openid.net">general@openid.net</a><o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>