What happened to all the concern about openid.auth_age (in early October)?
I echo Kevin Turner's worry that “features like this will mislead the RP
developers into thinking they have more control over the authentication
protocol than they really do… when OpenID actually leaves all those controls
Manger, James H wrote:
>
> The user-centric solution is not for the RP to specify a max auth age (or
> captcha or email verification or handbio or hardotp…), but for the RP to
> indicate the importance of the authentication. The user (with a little help
> from their OP) decides how to react (eg
Is there not a potential contradiction between an RP expressing both of
'this is very very important to me' and 'I leave it to you as to the
specifics'?
If the RP authenticated the user locally and not through OpenID, and the
resources it was protecting were of any value or sensitivity, it woul
Paul Madsen wrote:
> Is there not a potential contradiction between an RP expressing both of
> 'this is very very important to me' and 'I leave it to you as to the
> specifics'?
>
Perhaps, but that is the case in both the "IdP reports" and the "RP
suggests" case: either way the IdP is calling
Echoing Kevin's comments from October on this
(http://openid.net/pipermail/specs/2006-October/000223.html)
This model will only fly in the general case when the user or some other
non-RP agent is willing to assume all risk/liability for the transaction
the user's identity is requesting.
Barring t
The RP is not saying “this is very very important to *me*”. It is saying “in
my opinion, this is likely to be very very important to *you*”. Consequently,
it is not a contradiction for the RP to also say “I leave it to you as to the
specifics”.
> Does participating in OpenID mean the RP givin
Manger, James H wrote:
>
> For most RPs there shouldn’t be a high price (if any price). When the
> login only gives access to the user’s own resources (be they colour
> preferences, reputation, personal details, money…), then any
> inappropriately weak authentication of the user by their OP only
>
Manger, James H wrote:
> A related hassle is that when my OP supports a new authentication method
> (such as a strong password-authenticated key agreement scheme (eg SRP)),
> existing RPs will not recognize this method as strong enough for the RP’s
> expectations – regardless of the method’s act
Justin S. Peavey wrote:
>
> I fully agree with you in your example above until you mention money.
> In the Amazon example for book purchases, the user is not the one
> affected by a mis-authenticated transaction, Amazon and the credit-card
> companies are; the user is indemnified by most credit c
