Manger, James H wrote:
A related hassle is that when my OP supports a new authentication method
(such as a strong password-authenticated key agreement scheme (eg SRP)),
existing RPs will not recognize this method as strong enough for the RP’s
expectations – regardless of the method’s actual
Justin S. Peavey wrote:
I fully agree with you in your example above until you mention money.
In the Amazon example for book purchases, the user is not the one
affected by a mis-authenticated transaction, Amazon and the credit-card
companies are; the user is indemnified by most credit card
Manger, James H wrote:
The user-centric solution is not for the RP to specify a max auth age (or
captcha or email verification or handbio or hardotp…), but for the RP to
indicate the importance of the authentication. The user (with a little help
from their OP) decides how to react (eg
Paul Madsen wrote:
Is there not a potential contradiction between an RP expressing both of
'this is very very important to me' and 'I leave it to you as to the
specifics'?
Perhaps, but that is the case in both the IdP reports and the RP
suggests case: either way the IdP is calling the
The RP is not saying “this is very very important to *me*”. It is saying “in
my opinion, this is likely to be very very important to *you*”. Consequently,
it is not a contradiction for the RP to also say “I leave it to you as to the
specifics”.
Does participating in OpenID mean the RP
Manger, James H wrote:
For most RPs there shouldn’t be a high price (if any price). When the
login only gives access to the user’s own resources (be they colour
preferences, reputation, personal details, money…), then any
inappropriately weak authentication of the user by their OP only
What happened to all the concern about openid.auth_age (in early October)?
I echo Kevin Turner's worry that “features like this will mislead the RP
developers into thinking they have more control over the authentication
protocol than they really do… when OpenID actually leaves all those
