Hi George, for your use case below, why would not the RP just ask for 
the user to be up-authenticated at the desired higher level when necessary?

Are you asking whether the RP should be allowed to ask the user to 
re-present their URI in order for this to happen? And thereby 
effectively treating each event as disconnected/standalone?

Wrt combinations, I know from experience that the alternative to 
allowing for RPs to specify combinations is a combinatorial explosion in 
the number of  mechanism identifiers.


George Fletcher wrote:
> +1 simple and straight forward
> Just curious about uses cases where the required authentication level 
> changes over time.  For instance, a use case where to view my stock 
> portfolio just requires "password", but doing a trade requires 
> "voicebio".  Is the expectation that authentication events can be 
> treated as "standalone"? or that it's the RP's responsibility to manage 
> the combinations based on the identifier?
> One final question... Is it valuable to provide a way to request two or 
> more authentication methods be employed in the authentication event?  
> For example, administrators of a site must use both "password" and 
> "hardotp".  Everyone else just needs "password".
> Thanks,
> George
> _______________________________________________
> general mailing list
> http://openid.net/mailman/listinfo/general

Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432

specs mailing list

Reply via email to