Chris Drake wrote:
> Hi All,
> 1. Amazon asks the IdP "Please assert this user is not a Robot"
>    How can it trust this occurred?
> 2. Amazon asks the IdP "Please re-authenticate this user, via
>    two-factor, two-way strong authentication"
>    How can it trust *this* occurred?
> The IdP can *say* it did, but would RPs prefer a "stronger" role to
> encourage adoption? (eg: #1 - the RP provides the captcha, and the
> hash of the solution, while the IdP returns the solution, or #2 - the
> RP provides a nonce and later looks for this nonce in the IdP's
> also-signed-by-the-authentication-vendor-technology response)
> i.e.: It might get ugly to try and add this stuff in later if we've
> not catered up-front for these kinds of interchanges.

These use-cases seem like a good one, in that it's something that's 
actually *verifiable*, rather than relying on a trust relationship that 
probably doesn't exist between RP and IdP.

I still don't think this should be in the core spec — core OpenID Auth 
should be simple — but we should make sure that it's possible to add it 
via extension and if it isn't adjust the way extensions work to make it 

specs mailing list

Reply via email to