The specifications council recommends that the Foundation members
approve the creation of the Provider Authentication Policy Extension
(PAPE) working group, as proposed below.
-- Dick
On 22-May-08, at 3:25 PM, Mike Jones wrote:
This message is being sent to revise the proposal to create the PAPE
working group, changing only one word, so that the projected
completion date is July 2008, rather than May 2008. The complete
text of the revised proposal follows.
--- Mike
In accordance with the OpenID Foundation IPR policies and procedures
this note proposes the formation of a new working group chartered to
produce an OpenID specification. As per Section 4.1 of the
Policies, the specifics of the proposed working group are:
Proposal:
(a) Charter.
(i) WG name: Provider Authentication Policy
Extension (PAPE)
(ii) Purpose: Produce a standard OpenID extension
to the OpenID Authentication protocol that: provides a mechanism by
which a Relying Party can request that particular authentication
policies be applied by the OpenID Provider when authenticating an
End User and provides a mechanism by which an OpenID Provider may
inform a Relying Party which authentication policies were used. Thus
a Relying Party can request that the End User authenticate, for
example, using a phishing-resistant and/or multi-factor
authentication method.
(iii) Scope: Produce a revision of the PAPE 1.0
Draft 2 specification that clarifies its intent, while maintaining
compatibility for existing Draft 2 implementations. Adding any
support for communicating requests for or the use of specific
authentication methods (as opposed to authentication policies) is
explicitly out of scope.
(iv) Proposed List of Specifications: Provider
Authentication Policy Extension 1.0, spec completion expected during
July 2008.
(v) Anticipated audience or users of the work:
Implementers of OpenID Providers and Relying Parties – especially
those interested in mitigating the phishing vulnerabilities of
logging into OpenID providers with passwords.
(vi) Language in which the WG will conduct
business: English.
(vii) Method of work: E-mail discussions on the
working group mailing list, working group conference calls, and
possibly a face-to-face meeting at the Internet Identity Workshop.
(viii) Basis for determining when the work of the
WG is completed: Proposed changes to draft 2 will be evaluated on
the basis of whether they increase or decrease consensus within the
working group. The work will be completed once it is apparent that
maximal consensus on the draft has been achieved, consistent with
the purpose and scope.
(b) Background Information.
(i) Related work being done in other WGs or
organizations: (1) Assurance Levels as defined by the National
Institute of Standards and Technology (NIST) in Special Publication
800-63 (Burr, W., Dodson, D., and W. Polk, Ed., “Electronic
Authentication Guideline,” April 2006.) [NIST_SP800‑63]. This
working group is needed to enable authentication policy statements
to be exchanged by OpenID endpoints. No coordination is needed with
NIST, as the PAPE specification uses elements of the NIST
specification in the intended fashion.
(ii) Proposers:
Michael B. Jones, [EMAIL PROTECTED],
Microsoft Corporation
David Recordon,
[EMAIL PROTECTED], Six Apart Corporation
Ben Laurie, [EMAIL PROTECTED], Google
Corporation
Drummond Reed, [EMAIL PROTECTED]
, Cordance Corporation
John Bradley,
[EMAIL PROTECTED], Wingaa Corporation
Johnny Bufu, [EMAIL PROTECTED],
Independent
Dick Hardt, [EMAIL PROTECTED], Sxip
Identity Corporation
Editors:
Michael B. Jones, [EMAIL PROTECTED],
Microsoft Corporation
David Recordon,
[EMAIL PROTECTED], Six Apart Corporation
(iii) Anticipated Contributions: None.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs