Hi All, 1. Amazon asks the IdP "Please assert this user is not a Robot" How can it trust this occurred?
2. Amazon asks the IdP "Please re-authenticate this user, via two-factor, two-way strong authentication" How can it trust *this* occurred? The IdP can *say* it did, but would RPs prefer a "stronger" role to encourage adoption? (eg: #1 - the RP provides the captcha, and the hash of the solution, while the IdP returns the solution, or #2 - the RP provides a nonce and later looks for this nonce in the IdP's also-signed-by-the-authentication-vendor-technology response) i.e.: It might get ugly to try and add this stuff in later if we've not catered up-front for these kinds of interchanges. Kind Regards, Chris Drake _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs