One parameter of PAPE was allowing the RP to specify how long it had been since the OP had authenticated the user.
There is a PAPE working group right now, if you were interested in looking at how your suggestions would be incorporated, I am sure they would welcome you to the group. I've cc'ed Mike Jones who is one of the people driving PAPE -- Dick On 2-Jul-08, at 7:45 AM, Simon Josefsson wrote: > Hi. > > Is there a best practice on how Openid consumers can find out whether > re-authenticating the user, via the OpenID server, once in a while can > lead to improved security? > > The security of normal one-time password systems (SecurID, SMS codes, > Yubikeys, ..) can be improved if you ask for a new one-time password > once in a while. > > Of course, the OpenID server cannot do this on its own, so it needs to > be initiated by the OpenID consumer, but that will not happen without > clues that it is a good idea to do perform re-authentication. > > Thoughts? > > Would this be a worthwhile addition to the > openid-provider-authentication-policy-extension document? I'm > thinking > that the Response Parameters should include an optional parameter that > imply that a one-time-password system was used, which suggests that > the > RP may re-authenticate the user more frequently. > > It may be useful to generalize this idea somewhat, but I can't come up > with a better abstraction. Even re-authenticating using password may > improve security in some situations (although I suspect most passwords > are cached by browsers anyway these days). Ideas welcome. > > Thanks, > Simon > > Btw, this idea originated from discussions on > <http://forum.yubico.com/viewtopic.php?f=9&t=126>. > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs