subject:"Strong Authencation \(was \[PROPOSAL\] authentication age"

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

2006-10-06 Thread Drummond Reed

Thanks, Hans, I'm getting better educated on 2.0 every day.

=Drummond 

-Original Message-
From: Granqvist, Hans [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 06, 2006 9:21 AM
To: Drummond Reed; Chris Drake
Cc: specs@openid.net
Subject: RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

I think the 2.0 spec extension mechanism could handle signed
credentials. For example, "credentials=" where  is of 
a (string) format that contains a type + signature, say

credentials=OATHVIP:WW91IGhhZCB0byBjaGVjaywgZGlkbid0IHlvdT8gOyk=

The format could also further specify mechanism types,
signer identity, and algorithm(s) used if those are not part 
of the definition of 'credentials'.

Hans


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Drummond Reed
> Sent: Thursday, October 05, 2006 2:26 PM
> To: 'Chris Drake'
> Cc: specs@openid.net
> Subject: RE: Re[2]: Strong Authencation (was [PROPOSAL] 
> authentication age
> 
> Chris,
> 
> Great examples. Signed credentials makes lots of sense. 
> OpenID AuthN 2.0 doesn't handle them yet but I can completely 
> understand them in the roadmap.
> 
> =Drummond 
> 
> -Original Message-
> From: Chris Drake [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 05, 2006 10:51 AM
> To: Drummond Reed
> Cc: specs@openid.net
> Subject: Re[2]: Strong Authencation (was [PROPOSAL] authentication age
> 
> Hi Drummond,
> 
> Example1: RSA would provide a signed response indicating that 
> the user correctly entered the SecurID token code.
> 
> Example2: The RP would have the public key of the company 
> that supplies the fingerprint scanning hardware (although 
> some extra thought as to how a fingerprint ultimately matches 
> to an Identity is required, which will need an entirely 
> different information flow to Example1).
> 
> Is Dick a vendor himself? he no doubt knows other ways.
> 
> Kind Regards,
> Chris Drake,
> =1id.com
> 
> 
> Friday, October 6, 2006, 3:19:44 AM, you wrote:
> 
> DR> Dick,
> 
> DR> You say, " The strong authentication will be supplied by a vendor 
> DR> that
> has
> DR> been certified to provide standardized levels of 
> authentication. The 
> DR> IdP will often NOT be the strong auth vendor."
> 
> DR> Can you explain how this might work, i.e., how can the RP have a 
> DR> relationship directly with the strong auth vendor and not 
> the IdP? 
> DR> Would
> the
> DR> IdP be outsourcing authentication to the strong auth vendor? In 
> DR> which
> case,
> DR> isn't the strong auth vendor the IdP?
> 
> DR> =Drummond
> 
> DR> -Original Message-
> DR> From: [EMAIL PROTECTED]
> DR> [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt
> DR> Sent: Thursday, October 05, 2006 9:36 AM
> DR> To: Gabe Wachob
> DR> Cc: specs@openid.net
> DR> Subject: Strong Authencation (was [PROPOSAL] authentication age
> 
> DR> The vision I have is that strong authentication to your 
> IdP will be 
> DR> common in the future.
> 
> DR> The strong authentication will be supplied by a vendor 
> that has been 
> DR> certified to provide standardized levels of 
> authentication. The IdP 
> DR> will often NOT be the strong auth vendor.
> 
> DR> The RP will have a trust relationship with the vendor, likely 
> DR> through a vendor consortium that delegates to vendors that their 
> DR> product is certified, ie. the RP will not need to trust 
> each vendor, 
> DR> just the certification body.
> 
> DR> I would hope that OpenID can be extended over time to be able to 
> DR> move around these types of strong auth assertions.
> 
> DR> -- Dick
> 
> 
> DR> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:
> 
> >> Chris-
> >>As someone who has recently come from working in the financial 
> >> sector (Visa), its clear that OpenID is NOT intended for 
> >> authentication where the *relying party* cares about how the 
> >> authentication is performed.
> >>
> >>At places like Visa and for home banking, this means 
> that OpenID, 
> >> without something more, is clearly a non-starter. These relying 
> >> parties want to know exactly how their users are being 
> authenticated 
> >> because their business is all about risk management and creating 
> >> business opportunities around very good knowledge of the 
> risk profile 
> >> of each transaction type.
> >>
> >>That all being said, I believe it should be possible to 
> layer on 
> >> OpenID a form

Re: Strong Authencation (was [PROPOSAL] authentication age

2006-10-06 Thread Martin Atkins

Chris Drake wrote:
> Hi All,
> 
> 1. Amazon asks the IdP "Please assert this user is not a Robot"
>How can it trust this occurred?
> 
> 2. Amazon asks the IdP "Please re-authenticate this user, via
>two-factor, two-way strong authentication"
>How can it trust *this* occurred?
> 
> The IdP can *say* it did, but would RPs prefer a "stronger" role to
> encourage adoption? (eg: #1 - the RP provides the captcha, and the
> hash of the solution, while the IdP returns the solution, or #2 - the
> RP provides a nonce and later looks for this nonce in the IdP's
> also-signed-by-the-authentication-vendor-technology response)
> 
> i.e.: It might get ugly to try and add this stuff in later if we've
> not catered up-front for these kinds of interchanges.
> 

These use-cases seem like a good one, in that it's something that's 
actually *verifiable*, rather than relying on a trust relationship that 
probably doesn't exist between RP and IdP.

I still don't think this should be in the core spec — core OpenID Auth 
should be simple — but we should make sure that it's possible to add it 
via extension and if it isn't adjust the way extensions work to make it 
possible.

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

2006-10-06 Thread Granqvist, Hans

I think the 2.0 spec extension mechanism could handle signed
credentials. For example, "credentials=" where  is of 
a (string) format that contains a type + signature, say

credentials=OATHVIP:WW91IGhhZCB0byBjaGVjaywgZGlkbid0IHlvdT8gOyk=

The format could also further specify mechanism types,
signer identity, and algorithm(s) used if those are not part 
of the definition of 'credentials'.

Hans


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Drummond Reed
> Sent: Thursday, October 05, 2006 2:26 PM
> To: 'Chris Drake'
> Cc: specs@openid.net
> Subject: RE: Re[2]: Strong Authencation (was [PROPOSAL] 
> authentication age
> 
> Chris,
> 
> Great examples. Signed credentials makes lots of sense. 
> OpenID AuthN 2.0 doesn't handle them yet but I can completely 
> understand them in the roadmap.
> 
> =Drummond 
> 
> -Original Message-
> From: Chris Drake [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 05, 2006 10:51 AM
> To: Drummond Reed
> Cc: specs@openid.net
> Subject: Re[2]: Strong Authencation (was [PROPOSAL] authentication age
> 
> Hi Drummond,
> 
> Example1: RSA would provide a signed response indicating that 
> the user correctly entered the SecurID token code.
> 
> Example2: The RP would have the public key of the company 
> that supplies the fingerprint scanning hardware (although 
> some extra thought as to how a fingerprint ultimately matches 
> to an Identity is required, which will need an entirely 
> different information flow to Example1).
> 
> Is Dick a vendor himself? he no doubt knows other ways.
> 
> Kind Regards,
> Chris Drake,
> =1id.com
> 
> 
> Friday, October 6, 2006, 3:19:44 AM, you wrote:
> 
> DR> Dick,
> 
> DR> You say, " The strong authentication will be supplied by a vendor 
> DR> that
> has
> DR> been certified to provide standardized levels of 
> authentication. The 
> DR> IdP will often NOT be the strong auth vendor."
> 
> DR> Can you explain how this might work, i.e., how can the RP have a 
> DR> relationship directly with the strong auth vendor and not 
> the IdP? 
> DR> Would
> the
> DR> IdP be outsourcing authentication to the strong auth vendor? In 
> DR> which
> case,
> DR> isn't the strong auth vendor the IdP?
> 
> DR> =Drummond
> 
> DR> -Original Message-
> DR> From: [EMAIL PROTECTED]
> DR> [mailto:[EMAIL PROTECTED] On Behalf Of Dick Hardt
> DR> Sent: Thursday, October 05, 2006 9:36 AM
> DR> To: Gabe Wachob
> DR> Cc: specs@openid.net
> DR> Subject: Strong Authencation (was [PROPOSAL] authentication age
> 
> DR> The vision I have is that strong authentication to your 
> IdP will be 
> DR> common in the future.
> 
> DR> The strong authentication will be supplied by a vendor 
> that has been 
> DR> certified to provide standardized levels of 
> authentication. The IdP 
> DR> will often NOT be the strong auth vendor.
> 
> DR> The RP will have a trust relationship with the vendor, likely 
> DR> through a vendor consortium that delegates to vendors that their 
> DR> product is certified, ie. the RP will not need to trust 
> each vendor, 
> DR> just the certification body.
> 
> DR> I would hope that OpenID can be extended over time to be able to 
> DR> move around these types of strong auth assertions.
> 
> DR> -- Dick
> 
> 
> DR> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:
> 
> >> Chris-
> >>As someone who has recently come from working in the financial 
> >> sector (Visa), its clear that OpenID is NOT intended for 
> >> authentication where the *relying party* cares about how the 
> >> authentication is performed.
> >>
> >>At places like Visa and for home banking, this means 
> that OpenID, 
> >> without something more, is clearly a non-starter. These relying 
> >> parties want to know exactly how their users are being 
> authenticated 
> >> because their business is all about risk management and creating 
> >> business opportunities around very good knowledge of the 
> risk profile 
> >> of each transaction type.
> >>
> >>That all being said, I believe it should be possible to 
> layer on 
> >> OpenID a form of IDP control such that a relying party can 
> require a 
> >> certain class or group of IDPs be used when presenting 
> authentication 
> >> assertions to them. The actual *policy* for how these IDPs are 
> >> approved is probably orthogonal to the protocol spec, but "secure&

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Drummond Reed

Chris,

Great examples. Signed credentials makes lots of sense. OpenID AuthN 2.0
doesn't handle them yet but I can completely understand them in the roadmap.

=Drummond 

-Original Message-
From: Chris Drake [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 05, 2006 10:51 AM
To: Drummond Reed
Cc: specs@openid.net
Subject: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

Hi Drummond,

Example1: RSA would provide a signed response indicating that the user
correctly entered the SecurID token code.

Example2: The RP would have the public key of the company that
supplies the fingerprint scanning hardware (although some extra
thought as to how a fingerprint ultimately matches to an Identity is
required, which will need an entirely different information flow to
Example1).

Is Dick a vendor himself? he no doubt knows other ways.

Kind Regards,
Chris Drake,
=1id.com

Friday, October 6, 2006, 3:19:44 AM, you wrote:

DR> Dick,

DR> You say, " The strong authentication will be supplied by a vendor that
has
DR> been certified to provide standardized levels of authentication. The IdP
DR> will often NOT be the strong auth vendor."

DR> Can you explain how this might work, i.e., how can the RP have a
DR> relationship directly with the strong auth vendor and not the IdP? Would
the
DR> IdP be outsourcing authentication to the strong auth vendor? In which
case,
DR> isn't the strong auth vendor the IdP?

DR> =Drummond 

DR> -Original Message-
DR> From: [EMAIL PROTECTED]
DR> [mailto:[EMAIL PROTECTED] On Behalf
DR> Of Dick Hardt
DR> Sent: Thursday, October 05, 2006 9:36 AM
DR> To: Gabe Wachob
DR> Cc: specs@openid.net
DR> Subject: Strong Authencation (was [PROPOSAL] authentication age

DR> The vision I have is that strong authentication to your IdP will be
DR> common in the future.

DR> The strong authentication will be supplied by a vendor that has been
DR> certified to provide standardized levels of authentication. The IdP
DR> will often NOT be the strong auth vendor.

DR> The RP will have a trust relationship with the vendor, likely through
DR> a vendor consortium that delegates to vendors that their product is
DR> certified, ie. the RP will not need to trust each vendor, just the
DR> certification body.

DR> I would hope that OpenID can be extended over time to be able to move
DR> around these types of strong auth assertions.

DR> -- Dick

DR> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:

>> Chris-
>>  As someone who has recently come from working in the financial
>> sector (Visa), its clear that OpenID is NOT intended for  
>> authentication
>> where the *relying party* cares about how the authentication is  
>> performed.
>>
>>  At places like Visa and for home banking, this means that OpenID,
>> without something more, is clearly a non-starter. These relying  
>> parties want
>> to know exactly how their users are being authenticated because their
>> business is all about risk management and creating business  
>> opportunities
>> around very good knowledge of the risk profile of each transaction
>> type.
>>
>>  That all being said, I believe it should be possible to layer on
>> OpenID a form of IDP control such that a relying party can require
>> a certain
>> class or group of IDPs be used when presenting authentication  
>> assertions to
>> them. The actual *policy* for how these IDPs are approved is probably
>> orthogonal to the protocol spec, but "secure" identification of  
>> those IDPs
>> (relative to some trust root, etc) could probably be made into an  
>> extension
>> usable for those parties who want it.
>>
>>  My guess is that culturally, most people involved in OpenID have
>> *not* been interested in addressing these concerns. However,  
>> expectations
>> need to be better managed around these sort of "relying-party cares"
>> scenarios, because its not obvious without actually reading the specs
>> themselves...
>>
>>  -Gabe
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]  
>>> On Behalf
>>> Of Chris Drake
>>> Sent: Wednesday, October 04, 2006 8:26 PM
>>> To: Kevin Turner
>>> Cc: specs@openid.net
>>> Subject: Re[2]: [PROPOSAL] authentication age
>>>
>>> Hi Kevin,
>>>
>>> Sounds like you're leaning towards a root authority for IdPs who can
>>> audit procedures and verify protection in order to sign the IdP's
>>> keys?
>>>
>>> Joe blogger doesn't care much about identity assertions from an IdP,
>>> but it

Re[2]: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Chris Drake

Hi Drummond,

Example1: RSA would provide a signed response indicating that the user
correctly entered the SecurID token code.

Example2: The RP would have the public key of the company that
supplies the fingerprint scanning hardware (although some extra
thought as to how a fingerprint ultimately matches to an Identity is
required, which will need an entirely different information flow to
Example1).

Is Dick a vendor himself? he no doubt knows other ways.

Kind Regards,
Chris Drake,
=1id.com

Friday, October 6, 2006, 3:19:44 AM, you wrote:

DR> Dick,

DR> You say, " The strong authentication will be supplied by a vendor that has
DR> been certified to provide standardized levels of authentication. The IdP
DR> will often NOT be the strong auth vendor."

DR> Can you explain how this might work, i.e., how can the RP have a
DR> relationship directly with the strong auth vendor and not the IdP? Would the
DR> IdP be outsourcing authentication to the strong auth vendor? In which case,
DR> isn't the strong auth vendor the IdP?

DR> =Drummond 

DR> -Original Message-
DR> From: [EMAIL PROTECTED]
DR> [mailto:[EMAIL PROTECTED] On Behalf
DR> Of Dick Hardt
DR> Sent: Thursday, October 05, 2006 9:36 AM
DR> To: Gabe Wachob
DR> Cc: specs@openid.net
DR> Subject: Strong Authencation (was [PROPOSAL] authentication age

DR> The vision I have is that strong authentication to your IdP will be
DR> common in the future.

DR> The strong authentication will be supplied by a vendor that has been
DR> certified to provide standardized levels of authentication. The IdP
DR> will often NOT be the strong auth vendor.

DR> The RP will have a trust relationship with the vendor, likely through
DR> a vendor consortium that delegates to vendors that their product is
DR> certified, ie. the RP will not need to trust each vendor, just the
DR> certification body.

DR> I would hope that OpenID can be extended over time to be able to move
DR> around these types of strong auth assertions.

DR> -- Dick

DR> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:

>> Chris-
>>  As someone who has recently come from working in the financial
>> sector (Visa), its clear that OpenID is NOT intended for  
>> authentication
>> where the *relying party* cares about how the authentication is  
>> performed.
>>
>>  At places like Visa and for home banking, this means that OpenID,
>> without something more, is clearly a non-starter. These relying  
>> parties want
>> to know exactly how their users are being authenticated because their
>> business is all about risk management and creating business  
>> opportunities
>> around very good knowledge of the risk profile of each transaction
>> type.
>>
>>  That all being said, I believe it should be possible to layer on
>> OpenID a form of IDP control such that a relying party can require
>> a certain
>> class or group of IDPs be used when presenting authentication  
>> assertions to
>> them. The actual *policy* for how these IDPs are approved is probably
>> orthogonal to the protocol spec, but "secure" identification of  
>> those IDPs
>> (relative to some trust root, etc) could probably be made into an  
>> extension
>> usable for those parties who want it.
>>
>>  My guess is that culturally, most people involved in OpenID have
>> *not* been interested in addressing these concerns. However,  
>> expectations
>> need to be better managed around these sort of "relying-party cares"
>> scenarios, because its not obvious without actually reading the specs
>> themselves...
>>
>>  -Gabe
>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]  
>>> On Behalf
>>> Of Chris Drake
>>> Sent: Wednesday, October 04, 2006 8:26 PM
>>> To: Kevin Turner
>>> Cc: specs@openid.net
>>> Subject: Re[2]: [PROPOSAL] authentication age
>>>
>>> Hi Kevin,
>>>
>>> Sounds like you're leaning towards a root authority for IdPs who can
>>> audit procedures and verify protection in order to sign the IdP's
>>> keys?
>>>
>>> Joe blogger doesn't care much about identity assertions from an IdP,
>>> but it's a reasonable bet to expect that a Bank might care...
>>>
>>> Kind Regards,
>>> Chris Drake
>>>
>>>
>>> ___
>>> specs mailing list
>>> specs@openid.net
>>> http://openid.net/mailman/listinfo/specs
>>
>> ___
>> specs mailing list
>> specs@openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>>

DR> ___
DR> specs mailing list
DR> specs@openid.net
DR> http://openid.net/mailman/listinfo/specs

DR> ___
DR> specs mailing list
DR> specs@openid.net
DR> http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Gabe Wachob

I don't think it will get ugly because I think there are many ways to layer
on the functionality we are talking about. 

For example, Visa has something called 3-D Secure which is similar in many
ways to OpenID using INames. Instead of keying authentication off of INames,
they use Credit Card numbers. 

3-D Secure is implemented in one of several programs - Visa has "Verified by
Visa", Mastercard has "Securecode". Each of these programs varies the
protocol slightly, but by in large, the authentication mechanisms are
enforced by *policy* (ie you MUST use auth at least as strong as this) and
that policy is enforced (among several methods) by 1) the fact that
communication with the (credit card) directory requires clients to
authenticate *to the directory* and 2) the back channel communication is
mediated through the directory. That is one mechanism (which I really don't
recommend) that OpenID could take. 

Dick suggested a method where there is some vendor providing strong
authentication which is verifiable by anyone (or at least anyone who is part
of the club and cares). That authentication proof could ride along as an
extension element in OpenID. I suggested another approach where IDP's
themselves were "part of a club" (and there could be any number of clubs)
and that proof that the *IDP* was part of the club could come along as an
extension to the OpenID data. 

And if you are worried about how the RP knows ahead of time that an IDP can
provide the requisite extensions, we have a mechanism in the XRDS to
advertise these facts. 

So I think all these pieces are there -- it's just a matter of figuring out
how to put them together for the specific scenarios we have. I think in fact
that there will not be *one* answer, but several -- each based on the
ecosystem involved. If electronic payments systems ever use OpenID, there
will be certain controls that everyone who is participating will have to
agree to, and those controls may have to be enforceable and auditable by
multiple parties. In other scenarios, only certain parties may care (ie
RP's) and it may be untenable to impose as many extension pieces.

But I think we're getting ahead of ourselves. As long as you believe the
extensibility is in there and there is a reasonable path forward, then we
should get the basic infrastructure gelled and rolled out soon, or else
we'll never get the experience and mindshare with OpenID that we want. 

The quicker we get today done, the quicker we can get to tomorrow. 

-Gabe


> -Original Message-
> From: Chris Drake [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 05, 2006 10:22 AM
> To: Dick Hardt
> Cc: Gabe Wachob; 'Kevin Turner'; specs@openid.net
> Subject: Re: Strong Authencation (was [PROPOSAL] authentication age
> 
> Hi All,
> 
> 1. Amazon asks the IdP "Please assert this user is not a Robot"
>How can it trust this occurred?
> 
> 2. Amazon asks the IdP "Please re-authenticate this user, via
>two-factor, two-way strong authentication"
>How can it trust *this* occurred?
> 
> The IdP can *say* it did, but would RPs prefer a "stronger" role to
> encourage adoption? (eg: #1 - the RP provides the captcha, and the
> hash of the solution, while the IdP returns the solution, or #2 - the
> RP provides a nonce and later looks for this nonce in the IdP's
> also-signed-by-the-authentication-vendor-technology response)
> 
> i.e.: It might get ugly to try and add this stuff in later if we've
> not catered up-front for these kinds of interchanges.
> 
> Kind Regards,
> Chris Drake

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Chris Drake

Hi All,

1. Amazon asks the IdP "Please assert this user is not a Robot"
   How can it trust this occurred?

2. Amazon asks the IdP "Please re-authenticate this user, via
   two-factor, two-way strong authentication"
   How can it trust *this* occurred?

The IdP can *say* it did, but would RPs prefer a "stronger" role to
encourage adoption? (eg: #1 - the RP provides the captcha, and the
hash of the solution, while the IdP returns the solution, or #2 - the
RP provides a nonce and later looks for this nonce in the IdP's
also-signed-by-the-authentication-vendor-technology response)

i.e.: It might get ugly to try and add this stuff in later if we've
not catered up-front for these kinds of interchanges.

Kind Regards,
Chris Drake

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Drummond Reed

Dick,

You say, " The strong authentication will be supplied by a vendor that has
been certified to provide standardized levels of authentication. The IdP  
will often NOT be the strong auth vendor."

Can you explain how this might work, i.e., how can the RP have a
relationship directly with the strong auth vendor and not the IdP? Would the
IdP be outsourcing authentication to the strong auth vendor? In which case,
isn't the strong auth vendor the IdP?

=Drummond 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Dick Hardt
Sent: Thursday, October 05, 2006 9:36 AM
To: Gabe Wachob
Cc: specs@openid.net
Subject: Strong Authencation (was [PROPOSAL] authentication age

The vision I have is that strong authentication to your IdP will be  
common in the future.

The strong authentication will be supplied by a vendor that has been  
certified to provide standardized levels of authentication. The IdP  
will often NOT be the strong auth vendor.

The RP will have a trust relationship with the vendor, likely through  
a vendor consortium that delegates to vendors that their product is  
certified, ie. the RP will not need to trust each vendor, just the  
certification body.

I would hope that OpenID can be extended over time to be able to move  
around these types of strong auth assertions.

-- Dick


On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:

> Chris-
>   As someone who has recently come from working in the financial
> sector (Visa), its clear that OpenID is NOT intended for  
> authentication
> where the *relying party* cares about how the authentication is  
> performed.
>
>   At places like Visa and for home banking, this means that OpenID,
> without something more, is clearly a non-starter. These relying  
> parties want
> to know exactly how their users are being authenticated because their
> business is all about risk management and creating business  
> opportunities
> around very good knowledge of the risk profile of each transaction  
> type.
>
>   That all being said, I believe it should be possible to layer on
> OpenID a form of IDP control such that a relying party can require  
> a certain
> class or group of IDPs be used when presenting authentication  
> assertions to
> them. The actual *policy* for how these IDPs are approved is probably
> orthogonal to the protocol spec, but "secure" identification of  
> those IDPs
> (relative to some trust root, etc) could probably be made into an  
> extension
> usable for those parties who want it.
>
>   My guess is that culturally, most people involved in OpenID have
> *not* been interested in addressing these concerns. However,  
> expectations
> need to be better managed around these sort of "relying-party cares"
> scenarios, because its not obvious without actually reading the specs
> themselves...
>
>   -Gabe
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]  
>> On Behalf
>> Of Chris Drake
>> Sent: Wednesday, October 04, 2006 8:26 PM
>> To: Kevin Turner
>> Cc: specs@openid.net
>> Subject: Re[2]: [PROPOSAL] authentication age
>>
>> Hi Kevin,
>>
>> Sounds like you're leaning towards a root authority for IdPs who can
>> audit procedures and verify protection in order to sign the IdP's
>> keys?
>>
>> Joe blogger doesn't care much about identity assertions from an IdP,
>> but it's a reasonable bet to expect that a Bank might care...
>>
>> Kind Regards,
>> Chris Drake
>>
>>
>> ___
>> specs mailing list
>> specs@openid.net
>> http://openid.net/mailman/listinfo/specs
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Re: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Dick Hardt

Hi Gabe

Agreed that things like strong auth would be extensions.

I still think auth_age is something that RPs expect to be able to  
influence (primarily being able to ask for the auth ceremony to be  
performed) and should be in the current spec.

-- Dick

On 5-Oct-06, at 9:47 AM, Gabe Wachob wrote:

> Dick
>   That's sounds like a reasonable approach (if I understand what you
> are saying), and frankly one I hadn't considered.
>   More importantly, it sounds like we agree that we expect this to lie
> in the domain of OpenID extensions and that we don't need to  
> consider these
> scenarios/requirements now for the 2.0 specs?
>
>   -Gabe
>
>> -Original Message-
>> From: Dick Hardt [mailto:[EMAIL PROTECTED]
>> Sent: Thursday, October 05, 2006 9:36 AM
>> To: Gabe Wachob
>> Cc: 'Chris Drake'; 'Kevin Turner'; specs@openid.net
>> Subject: Strong Authencation (was [PROPOSAL] authentication age
>>
>> The vision I have is that strong authentication to your IdP will be
>> common in the future.
>>
>> The strong authentication will be supplied by a vendor that has been
>> certified to provide standardized levels of authentication. The IdP
>> will often NOT be the strong auth vendor.
>>
>> The RP will have a trust relationship with the vendor, likely through
>> a vendor consortium that delegates to vendors that their product is
>> certified, ie. the RP will not need to trust each vendor, just the
>> certification body.
>>
>> I would hope that OpenID can be extended over time to be able to move
>> around these types of strong auth assertions.
>>
>> -- Dick
>>
>>
>> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:
>>
>>> Chris-
>>> As someone who has recently come from working in the financial
>>> sector (Visa), its clear that OpenID is NOT intended for
>>> authentication
>>> where the *relying party* cares about how the authentication is
>>> performed.
>>>
>>> At places like Visa and for home banking, this means that OpenID,
>>> without something more, is clearly a non-starter. These relying
>>> parties want
>>> to know exactly how their users are being authenticated because  
>>> their
>>> business is all about risk management and creating business
>>> opportunities
>>> around very good knowledge of the risk profile of each transaction
>>> type.
>>>
>>> That all being said, I believe it should be possible to layer on
>>> OpenID a form of IDP control such that a relying party can require
>>> a certain
>>> class or group of IDPs be used when presenting authentication
>>> assertions to
>>> them. The actual *policy* for how these IDPs are approved is  
>>> probably
>>> orthogonal to the protocol spec, but "secure" identification of
>>> those IDPs
>>> (relative to some trust root, etc) could probably be made into an
>>> extension
>>> usable for those parties who want it.
>>>
>>> My guess is that culturally, most people involved in OpenID have
>>> *not* been interested in addressing these concerns. However,
>>> expectations
>>> need to be better managed around these sort of "relying-party cares"
>>> scenarios, because its not obvious without actually reading the  
>>> specs
>>> themselves...
>>>
>>> -Gabe
>>>
>>>> -Original Message-
>>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>>>> On Behalf
>>>> Of Chris Drake
>>>> Sent: Wednesday, October 04, 2006 8:26 PM
>>>> To: Kevin Turner
>>>> Cc: specs@openid.net
>>>> Subject: Re[2]: [PROPOSAL] authentication age
>>>>
>>>> Hi Kevin,
>>>>
>>>> Sounds like you're leaning towards a root authority for IdPs who  
>>>> can
>>>> audit procedures and verify protection in order to sign the IdP's
>>>> keys?
>>>>
>>>> Joe blogger doesn't care much about identity assertions from an  
>>>> IdP,
>>>> but it's a reasonable bet to expect that a Bank might care...
>>>>
>>>> Kind Regards,
>>>> Chris Drake
>>>>
>>>>
>>>> ___
>>>> specs mailing list
>>>> specs@openid.net
>>>> http://openid.net/mailman/listinfo/specs
>>>
>>> ___
>>> specs mailing list
>>> specs@openid.net
>>> http://openid.net/mailman/listinfo/specs
>>>
>>>
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Gabe Wachob

Dick
That's sounds like a reasonable approach (if I understand what you
are saying), and frankly one I hadn't considered.
More importantly, it sounds like we agree that we expect this to lie
in the domain of OpenID extensions and that we don't need to consider these
scenarios/requirements now for the 2.0 specs?

-Gabe

> -Original Message-
> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> Sent: Thursday, October 05, 2006 9:36 AM
> To: Gabe Wachob
> Cc: 'Chris Drake'; 'Kevin Turner'; specs@openid.net
> Subject: Strong Authencation (was [PROPOSAL] authentication age
> 
> The vision I have is that strong authentication to your IdP will be
> common in the future.
> 
> The strong authentication will be supplied by a vendor that has been
> certified to provide standardized levels of authentication. The IdP
> will often NOT be the strong auth vendor.
> 
> The RP will have a trust relationship with the vendor, likely through
> a vendor consortium that delegates to vendors that their product is
> certified, ie. the RP will not need to trust each vendor, just the
> certification body.
> 
> I would hope that OpenID can be extended over time to be able to move
> around these types of strong auth assertions.
> 
> -- Dick
> 
> 
> On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:
> 
> > Chris-
> > As someone who has recently come from working in the financial
> > sector (Visa), its clear that OpenID is NOT intended for
> > authentication
> > where the *relying party* cares about how the authentication is
> > performed.
> >
> > At places like Visa and for home banking, this means that OpenID,
> > without something more, is clearly a non-starter. These relying
> > parties want
> > to know exactly how their users are being authenticated because their
> > business is all about risk management and creating business
> > opportunities
> > around very good knowledge of the risk profile of each transaction
> > type.
> >
> > That all being said, I believe it should be possible to layer on
> > OpenID a form of IDP control such that a relying party can require
> > a certain
> > class or group of IDPs be used when presenting authentication
> > assertions to
> > them. The actual *policy* for how these IDPs are approved is probably
> > orthogonal to the protocol spec, but "secure" identification of
> > those IDPs
> > (relative to some trust root, etc) could probably be made into an
> > extension
> > usable for those parties who want it.
> >
> > My guess is that culturally, most people involved in OpenID have
> > *not* been interested in addressing these concerns. However,
> > expectations
> > need to be better managed around these sort of "relying-party cares"
> > scenarios, because its not obvious without actually reading the specs
> > themselves...
> >
> > -Gabe
> >
> >> -Original Message-
> >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >> On Behalf
> >> Of Chris Drake
> >> Sent: Wednesday, October 04, 2006 8:26 PM
> >> To: Kevin Turner
> >> Cc: specs@openid.net
> >> Subject: Re[2]: [PROPOSAL] authentication age
> >>
> >> Hi Kevin,
> >>
> >> Sounds like you're leaning towards a root authority for IdPs who can
> >> audit procedures and verify protection in order to sign the IdP's
> >> keys?
> >>
> >> Joe blogger doesn't care much about identity assertions from an IdP,
> >> but it's a reasonable bet to expect that a Bank might care...
> >>
> >> Kind Regards,
> >> Chris Drake
> >>
> >>
> >> ___
> >> specs mailing list
> >> specs@openid.net
> >> http://openid.net/mailman/listinfo/specs
> >
> > ___
> > specs mailing list
> > specs@openid.net
> > http://openid.net/mailman/listinfo/specs
> >
> >

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Strong Authencation (was [PROPOSAL] authentication age

2006-10-05 Thread Dick Hardt

The vision I have is that strong authentication to your IdP will be  
common in the future.

The strong authentication will be supplied by a vendor that has been  
certified to provide standardized levels of authentication. The IdP  
will often NOT be the strong auth vendor.

The RP will have a trust relationship with the vendor, likely through  
a vendor consortium that delegates to vendors that their product is  
certified, ie. the RP will not need to trust each vendor, just the  
certification body.

I would hope that OpenID can be extended over time to be able to move  
around these types of strong auth assertions.

-- Dick


On 4-Oct-06, at 8:41 PM, Gabe Wachob wrote:

> Chris-
>   As someone who has recently come from working in the financial
> sector (Visa), its clear that OpenID is NOT intended for  
> authentication
> where the *relying party* cares about how the authentication is  
> performed.
>
>   At places like Visa and for home banking, this means that OpenID,
> without something more, is clearly a non-starter. These relying  
> parties want
> to know exactly how their users are being authenticated because their
> business is all about risk management and creating business  
> opportunities
> around very good knowledge of the risk profile of each transaction  
> type.
>
>   That all being said, I believe it should be possible to layer on
> OpenID a form of IDP control such that a relying party can require  
> a certain
> class or group of IDPs be used when presenting authentication  
> assertions to
> them. The actual *policy* for how these IDPs are approved is probably
> orthogonal to the protocol spec, but "secure" identification of  
> those IDPs
> (relative to some trust root, etc) could probably be made into an  
> extension
> usable for those parties who want it.
>
>   My guess is that culturally, most people involved in OpenID have
> *not* been interested in addressing these concerns. However,  
> expectations
> need to be better managed around these sort of "relying-party cares"
> scenarios, because its not obvious without actually reading the specs
> themselves...
>
>   -Gabe
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]  
>> On Behalf
>> Of Chris Drake
>> Sent: Wednesday, October 04, 2006 8:26 PM
>> To: Kevin Turner
>> Cc: specs@openid.net
>> Subject: Re[2]: [PROPOSAL] authentication age
>>
>> Hi Kevin,
>>
>> Sounds like you're leaning towards a root authority for IdPs who can
>> audit procedures and verify protection in order to sign the IdP's
>> keys?
>>
>> Joe blogger doesn't care much about identity assertions from an IdP,
>> but it's a reasonable bet to expect that a Bank might care...
>>
>> Kind Regards,
>> Chris Drake
>>
>>
>> ___
>> specs mailing list
>> specs@openid.net
>> http://openid.net/mailman/listinfo/specs
>
> ___
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>
>

___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

Re: Strong Authencation (was [PROPOSAL] authentication age

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

RE: Re[2]: Strong Authencation (was [PROPOSAL] authentication age

Re[2]: Strong Authencation (was [PROPOSAL] authentication age

RE: Strong Authencation (was [PROPOSAL] authentication age

Re: Strong Authencation (was [PROPOSAL] authentication age

RE: Strong Authencation (was [PROPOSAL] authentication age

Re: Strong Authencation (was [PROPOSAL] authentication age

RE: Strong Authencation (was [PROPOSAL] authentication age

Strong Authencation (was [PROPOSAL] authentication age

11 matches

Site Navigation

Mail list logo

Footer information