Chris Drake wrote: > Hi All, > > 1. Amazon asks the IdP "Please assert this user is not a Robot" > How can it trust this occurred? > > 2. Amazon asks the IdP "Please re-authenticate this user, via > two-factor, two-way strong authentication" > How can it trust *this* occurred? > > The IdP can *say* it did, but would RPs prefer a "stronger" role to > encourage adoption? (eg: #1 - the RP provides the captcha, and the > hash of the solution, while the IdP returns the solution, or #2 - the > RP provides a nonce and later looks for this nonce in the IdP's > also-signed-by-the-authentication-vendor-technology response) > > i.e.: It might get ugly to try and add this stuff in later if we've > not catered up-front for these kinds of interchanges. >
These use-cases seem like a good one, in that it's something that's actually *verifiable*, rather than relying on a trust relationship that probably doesn't exist between RP and IdP. I still don't think this should be in the core spec — core OpenID Auth should be simple — but we should make sure that it's possible to add it via extension and if it isn't adjust the way extensions work to make it possible. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
