incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Laurie" <b...@google.com>
Subject Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Date Mon, 22 Jan 2007 18:11:44 GMT
On 1/22/07, Josh Hoyt <josh@janrain.com> wrote:
> On 1/22/07, Ben Laurie <benl@google.com> wrote:
> > > On 1/22/07, Ben Laurie <benl@google.com> wrote:
> > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > > Security Profiles" you have a profile where the RP states what kind of
> > > > End User/OP authentication is acceptable to it. Sites with low/zero
> > > > value attached to the login can accept any kind of EU/OP auth, whereas
> > > > high value sites can require "unphishable" auth.
> > >
> > > I like the sound of this proposal, but I don't see how the RP could
> > > know whether the OP is actually using "unphishable" authentication
> > > when that kind of authentication is requested. Is it necessary for the
> > > RP to be able to tell for sure, and if so, how could it tell?
> >
> > No, I don't think it is necessary. If users want to trust their
> > identity to OPs that lie, that's their decision.
>
> In that case, I think this could just be part of the "Assertion
> Quality Extension." [1] I haven't been involved in that specification
> at all, but my understanding is that it provides a way of expressing
> what kind of authentication the RP would like to have when a request
> is made to the OP.

Actually, it appears to allow the RP to tell the OP what kind of
authentication was used, which is backwards.

It also seems to be rather lacking in meat. Still, a step in the right
direction.

>
> Josh
>
> 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html
>

Mime
View raw message