On 1/21/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > On 1/19/07, Dick Hardt <[EMAIL PROTECTED]> wrote: > > > > On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: > > > > > > > > Still totally unhappy about the phishing issues, which I blogged > > > about here: > > > > > > http://www.links.org/?p=187 > > > > There are numerous ways of solving this. Several standard methods can > > solve it. It is a relationship between the user and the OP and the RP > > is not party, so I don't think it belongs in the OpenID > > Authentication specification. > > > > That does not mean it is not important, just that *this* spec is not > > the right place. > > I think that's entirely wrong. The RP doesn't care at all about the OP > - all the RP cares about is the end user. > > More importantly, I think I have a solution that will make both of us > happy, but I now have to go and ride my motorbike fast, so I'll detail > it later.
OK, the idea is pretty simple. Rather like the "OpenID Authentication Security Profiles" you have a profile where the RP states what kind of End User/OP authentication is acceptable to it. Sites with low/zero value attached to the login can accept any kind of EU/OP auth, whereas high value sites can require "unphishable" auth. Obviously some serious work is needed to flesh out this proposal, but it seems to me it allows OpenID to stay lightweight (and phishable) where appropriate, but also to serve a useful purpose for high-value applications. _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
