Hi George, for your use case below, why would not the RP just ask for the user to be up-authenticated at the desired higher level when necessary?
Are you asking whether the RP should be allowed to ask the user to re-present their URI in order for this to happen? And thereby effectively treating each event as disconnected/standalone? Wrt combinations, I know from experience that the alternative to allowing for RPs to specify combinations is a combinatorial explosion in the number of mechanism identifiers. Paul George Fletcher wrote: > +1 simple and straight forward > > Just curious about uses cases where the required authentication level > changes over time. For instance, a use case where to view my stock > portfolio just requires "password", but doing a trade requires > "voicebio". Is the expectation that authentication events can be > treated as "standalone"? or that it's the RP's responsibility to manage > the combinations based on the identifier? > > One final question... Is it valuable to provide a way to request two or > more authentication methods be employed in the authentication event? > For example, administrators of a site must use both "password" and > "hardotp". Everyone else just needs "password". > > Thanks, > George > > > _______________________________________________ > general mailing list > [EMAIL PROTECTED] > http://openid.net/mailman/listinfo/general > > > -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-302-1428 aim:PaulMdsn5 web:connectid.blogspot.com _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs