Re: [dix] Re: [Ietf-http-auth] BOF Request: WARP - Web Authentication Resistant to Phishing

Mon, 05 Jun 2006 19:10:48 -0700 

On 6/5/06, Sam Hartman <[EMAIL PROTECTED]> wrote:

>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:

    Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
    >>>>>>> "Eric" == Eric Rescorla <[EMAIL PROTECTED]> writes:
    >>
    Eric> Sam Hartman <[EMAIL PROTECTED]> writes:
    >> >>>>>>> "Pete" == Pete Rowley <[EMAIL PROTECTED]> writes:
    >> >>
    Pete> It is a requirement if you require to support more than
    Pete> authN.  Access to a site might require an "I am over 21"
    Pete> token, authZ without direct authN - DIX supports that, and I
    Pete> believe it is important to do so.
    >> >> I think the over-21 example is particularly bad because I >>
    >> cannot imagine a site (at least in the US) not taking >>
    >> responsibility for that check themselves based on demographic
    >> >> data they request.  It seems like way too much of a risk to
    >> >> outsource this to an identity provider especially if you
    >> allow >> identities from a number of different identity
    >> providers.
    >>
    Eric> I'm surprised to see you make this claim, since outsourced
    Eric> adult verification services for porn sites are extremely
    Eric> common.
    >>  My point is that I expect the porn site to have a contract
    >> with some verification service they trust and not to want to
    >> handle that data transport through the identity exchange.

    Eric> I'm not sure I see the distinction here.

The distinction is layer 9; I don't think there is a technical distincition.

It is my impression mostly from financial sector businesses that you
are going to see people verifying this information themselves (through
a separate exchange with a business partner) rather than trusting the
same assertion signed as part of the identity exchange.


Hmmm. I see people trusting client certs (in the financial sector, as
it happens), so I can't say I agree that this is by any means
universal.




--Sam

_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix



_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix

Reply via email to