incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Hoyt" <j...@janrain.com>
Subject Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Date Mon, 22 Jan 2007 17:33:43 GMT
Ben,

On 1/22/07, Ben Laurie <benl@google.com> wrote:
> OK, the idea is pretty simple. Rather like the "OpenID Authentication
> Security Profiles" you have a profile where the RP states what kind of
> End User/OP authentication is acceptable to it. Sites with low/zero
> value attached to the login can accept any kind of EU/OP auth, whereas
> high value sites can require "unphishable" auth.

I like the sound of this proposal, but I don't see how the RP could
know whether the OP is actually using "unphishable" authentication
when that kind of authentication is requested. Is it necessary for the
RP to be able to tell for sure, and if so, how could it tell?

Josh

Mime
View raw message