Hey Dennis, take a look at the Provider Authentication Policy Exchange extension as it's meant to provide some of this sort of information. It is a bit more abstract then what you're describing, but has been used successfully for similar needs
http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html --David On Sun, Aug 15, 2010 at 10:08 PM, Dennis Gearon <[email protected]> wrote: > I would like to hear some small discussion on an idea/request that I have for > the openID spec. > > When validating with an openID source/server (not uup to speed on > architecture of openID yet), part of what gets returned is the following data: > > A/ A standardized authentication-difficulty rating from the site validating > the user. I.E., If my password at yahoo is only 6 characters long, and Yahoo > accepts it, yahoo still runs an openID lib procedure against the password > when it's created and some standard values get returned, i.e.: > > weak > OK > strong > exceptional. > > B/ A second field saying whether multiple tokens were used, such as: > > one time pad rotating code key fobs > password and drop of blood > password and handprint > et. al. > > OR, it could send a value saying it meets certain standards out there, if > there are any. Maybe setting standards would be a good idea!!! I bet the > military has some. Apparently, congressmen and others aren't required to use > them on their email/social site accounts ;-) > > > > > Dennis Gearon > > Signature Warning > ---------------- > EARTH has a Right To Life, > otherwise we all die. > > Read 'Hot, Flat, and Crowded' > Laugh at http://www.yert.com/film.php > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
