incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Laurie" <b...@google.com>
Subject Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Date Mon, 22 Jan 2007 18:56:50 GMT
On 1/22/07, Ben Laurie <benl@google.com> wrote:
> On 1/22/07, Josh Hoyt <josh@janrain.com> wrote:
> > On 1/22/07, Ben Laurie <benl@google.com> wrote:
> > > > On 1/22/07, Ben Laurie <benl@google.com> wrote:
> > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > > > Security Profiles" you have a profile where the RP states what kind
of
> > > > > End User/OP authentication is acceptable to it. Sites with low/zero
> > > > > value attached to the login can accept any kind of EU/OP auth, whereas
> > > > > high value sites can require "unphishable" auth.
> > > >
> > > > I like the sound of this proposal, but I don't see how the RP could
> > > > know whether the OP is actually using "unphishable" authentication
> > > > when that kind of authentication is requested. Is it necessary for the
> > > > RP to be able to tell for sure, and if so, how could it tell?
> > >
> > > No, I don't think it is necessary. If users want to trust their
> > > identity to OPs that lie, that's their decision.
> >
> > In that case, I think this could just be part of the "Assertion
> > Quality Extension." [1] I haven't been involved in that specification
> > at all, but my understanding is that it provides a way of expressing
> > what kind of authentication the RP would like to have when a request
> > is made to the OP.
>
> Actually, it appears to allow the RP to tell the OP what kind of
> authentication was used, which is backwards.

Sorry, I mean the OP to tell the RP!

>
> It also seems to be rather lacking in meat. Still, a step in the right
> direction.
>
> >
> > Josh
> >
> > 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html
> >
>

Mime
View raw message