On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > > > > Security Profiles" you have a profile where the RP states what kind of > > > > > End User/OP authentication is acceptable to it. Sites with low/zero > > > > > value attached to the login can accept any kind of EU/OP auth, whereas > > > > > high value sites can require "unphishable" auth. > > > > > > > > I like the sound of this proposal, but I don't see how the RP could > > > > know whether the OP is actually using "unphishable" authentication > > > > when that kind of authentication is requested. Is it necessary for the > > > > RP to be able to tell for sure, and if so, how could it tell? > > > > > > No, I don't think it is necessary. If users want to trust their > > > identity to OPs that lie, that's their decision. > > > > In that case, I think this could just be part of the "Assertion > > Quality Extension." [1] I haven't been involved in that specification > > at all, but my understanding is that it provides a way of expressing > > what kind of authentication the RP would like to have when a request > > is made to the OP. > > Actually, it appears to allow the RP to tell the OP what kind of > authentication was used, which is backwards.
Sorry, I mean the OP to tell the RP! > > It also seems to be rather lacking in meat. Still, a step in the right > direction. > > > > > Josh > > > > 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html > > > _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs