incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Laurie" <b...@google.com>
Subject Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Date Mon, 22 Jan 2007 17:45:36 GMT
On 1/22/07, Josh Hoyt <josh@janrain.com> wrote:
> Ben,
>
> On 1/22/07, Ben Laurie <benl@google.com> wrote:
> > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > Security Profiles" you have a profile where the RP states what kind of
> > End User/OP authentication is acceptable to it. Sites with low/zero
> > value attached to the login can accept any kind of EU/OP auth, whereas
> > high value sites can require "unphishable" auth.
>
> I like the sound of this proposal, but I don't see how the RP could
> know whether the OP is actually using "unphishable" authentication
> when that kind of authentication is requested. Is it necessary for the
> RP to be able to tell for sure, and if so, how could it tell?

No, I don't think it is necessary. If users want to trust their
identity to OPs that lie, that's their decision.

Mime
View raw message