<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7651.14">
<TITLE>RE: [OpenID] Assertion Quality Extension => openid.importance</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">The RP is not saying “this is very very important to *</FONT></SPAN><SPAN LANG="en-au"><B></B></SPAN><SPAN LANG="en-au"><B><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">me</FONT></B></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">*”. It is saying “in my opinion, this is likely to be very very important to *</FONT></SPAN><SPAN LANG="en-au"><B></B></SPAN><SPAN LANG="en-au"><B><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">you</FONT></B></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">*”. Consequently, it is not a contradiction for the RP to also say “I leave it to you as to the specifics”.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT SIZE=2 FACE="Arial">></FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT SIZE=2 FACE="Arial">Does participating in OpenID mean the RP giving up this policy control?</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">Yes, fully participating in OpenID means the RP gives up some policy control. An RP cannot simultaneously 1) accept its users choices of OPs, and 2) get trusted assertions as to the authentication quality. The first implies accepting any OP. The second implies accepting only the small subset of OPs trusted by the RP.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"><FONT SIZE=2 FACE="Arial">></FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT SIZE=2 FACE="Arial">How many such RPs will be willing to pay this price?</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">For most RPs there shouldn’t be a high price (if any price). When the login only gives access to the user’s own resources (be they colour preferences, reputation, personal details, money…), then any inappropriately weak authentication of the user by their OP only affects that user. The user pays a price, but not the RP. This scenario covers a lot of services: Amazon (user’s book preferences, user’s payments); hotmail (user’s inbox); flickr (user’s photos)…</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">An RP may pay an indirect price. The law may not accept that the user was in</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">total</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">control</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">of the authentication mechanism</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">so the user (not the RP) bears all responsibility.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">A big scenario not covered is corporate access: the RP is a company, the user is an employee. Login gives the user access to resources, but the RP still owns the resources. Some control over the resources is delegated to the user, but not all. Solutions: a) don’t use openid, b) trust your employees, c) use openid but only accept selected OPs.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT SIZE=2 FACE="Arial">></FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT SIZE=2 FACE="Arial">Fundamentally, I don't see how acknowledging that the RP may have certain expectations of the authentication event is somehow in conflict with user-centrism.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">The hassle is that an RP expectation for, say, “hardotp”</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">will prevent my</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">spec-</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">compliant OP software from logging me in even if I am using a</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> triple-factor</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">iris scan</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">, 20-char password and smartcard to authenticate myself to my OP.</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">A related hassle is that when my OP</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">supports a new authentication method (such as a</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">strong</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">password-authenticated key agreement scheme</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> (eg SRP)</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">),</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">existing</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> RPs will</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">not</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">recognize</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">this method</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> as strong enough for the</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> RP’s</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> expectations</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"></FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"> <FONT COLOR="#0000FF" SIZE=2 FACE="Arial">–</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial"> regardless of the method</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">’s actual strength.</FONT></SPAN><SPAN LANG="en-au"></SPAN><SPAN LANG="en-au"></SPAN></P>
</BODY>
</HTML>