Fwd: OSIS PAPE call results

Mon, 05 Nov 2007 05:38:35 -0800 

Hey all,
It turned out that from the OSIS interoperability event in Barcelona a call was scheduled to discuss PAPE issues from the interop. I heard about the call a few minutes before, but Mike, Johnny, and I had a really productive call. If no one disagrees, we should get these edits into the spec and release draft 3. 

Thanks,
--David

Begin forwarded message:


From: Mike Jones <[EMAIL PROTECTED]>
Date: November 1, 2007 10:04:02 PM GMT+01:00

To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, Johnny Bufu <[EMAIL PROTECTED] 
>, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>

Subject: OSIS PAPE call results


Today we held the call discussing OSIS feedback on the PAPE spec.   
Topics covered and recommendations made on the call were:



- Authorization decisions should be made solely by the relying  
party.  The identity provider should accurately report the status of  
all policies requested by the relying party that the authentication  
complies with and may also choose to report the status of any  
policies that apply that were not explicitly requested.  The  
policies are not mutually exclusive and no relationship between the  
different policies should be implied.  A clarification to this  
effect should be added to the draft.



- There was a request for a definition of Active Authentication as  
used in the auth_time element description.  Intuitively, this  
involves at least having the user being at the machine as a  
participant in the authentication interaction in some manner.  We  
agreed that we should look for an existing definition of active  
authentication that appears to apply.



- The table in Appendix A.1.1 of http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html 
 needs to be updated to be consistent with the definition in Section  
4.  Specifically:
            PIN and soft OTP token should not be marked as phishing- 
resistant.
            PIN and hard OTP token should not be marked as phishing- 
resistant.
            Information Cards should be added and listed as phishing- 
resistant.
            Active password managers that only release the password  
to the correct site should be listed as phishing-resistant.



- If relying parties and OPs want to communicate actual  
authentication methods used, that should happen via a different spec  
than PAPE.  Then the market can decide whether to use PAPE, this  
spec, both, or neither.  (However some in the group have both  
privacy concerns about this and concerns about enabling attackers by  
giving them additional information to use in their attacks.)



Finally, while we failed to discuss this on the call, I also believe  
that:
            PIN and digital certificate via HTTPS is phishable if  
the same certificate value is released to every site.
            PIN and digital certificate via HTTPS is not phishable  
if a different certificate value is released to every site.
and that the table should be updated accordingly in this case as  
well.  Someone who's an expert in this method should pipe in and  
provide guidance.


                                    Thanks all!
                                    -- Mike




_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs














    











					Reply via email to