Recently saw a demo of Vidoop and think there approach rocks. Was curious if there is an opportunity to express an authentication strength and style as an attribute to be consumed by the relying party. * This
+ [...] For example it is recommended that if the OP +specified the Multi-Factor Physical Authentication policy and the RP +requested the Multi-Factor Authentication policy, that the RP's +requirements were met. This puts undue requirements on the RP
I see both sides of this. At the end of the day the RP is ultimately making the decision as to if the user can proceed or not. Just as in SREG if the RP says email is required and the user/OP choose not to provide it, the RP still has to decide what to do. I do agree that it is easier on
Cool, committed. http://svn.openid.net/diff.php?repname=specificationspath=% 2Fprovider_authentication_policy_extension%2F1.0%2Ftrunk%2Fopenid- provider-authentication-policy-extension-1_0.xmlrev=378sc=1 We ready to publish Draft 2? --David On Oct 23, 2007, at 2:46 PM, Barry Ferg wrote:
Begin forwarded message: From: David Recordon [EMAIL PROTECTED] Date: October 23, 2007 4:39:23 PM PDT To: OpenID List [EMAIL PROTECTED] Subject: [OpenID] Provider Assertion Policy Extension Draft 2 Published Reply-To: [EMAIL PROTECTED] Hey all, Draft 2 of PAPE has now been published.
I am keen for the RP to identify itself when it performs discovery – and I would love this feature to be in 2.0 before it is finalized. The proposal is very simple (to describe and to implement): RPs add a “From:” HTTP header field to HTTP requests made during the discovery phase. The