Manger, James H wrote: > > For most RPs there shouldn’t be a high price (if any price). When the > login only gives access to the user’s own resources (be they colour > preferences, reputation, personal details, money…), then any > inappropriately weak authentication of the user by their OP only > affects that user. The user pays a price, but not the RP. This > scenario covers a lot of services: Amazon (user’s book preferences, > user’s payments); hotmail (user’s inbox); flickr (user’s photos)… >
I fully agree with you in your example above until you mention money. In the Amazon example for book purchases, the user is not the one affected by a mis-authenticated transaction, Amazon and the credit-card companies are; the user is indemnified by most credit card companies for fraudulent purchases. If the user was *actually bound* to be responsible for the transactions their identities perform, the model works - but this is not the world that I (or Amazon, or Bank of America) live in. > The hassle is that an RP expectation for, say, “hardotp” will prevent > my spec-compliant OP software from logging me in even if I am using a > triple-factor iris scan, 20-char password and smartcard to > authenticate myself to my OP. A related hassle is that when my OP > supports a new authentication method (such as a strong > password-authenticated key agreement scheme (eg SRP)), existing RPs > will not recognize this method as strong enough for the RP’s > expectations – regardless of the method’s actual strength. Perhaps, but I support the concept you stated earlier of not specifying the authentication method directly between the RP and OP, but agreeing on the 'importance' - what I expect will happen will be the OP and (higher-risk) RPs will first need to come to agreement (perhaps with eventual guidance/oversight from another standard or regulating body) on what types/methods/frequency of authentication equates to which 'strength'. This gets the RPs out of the gory details but still having their a$$ covered - but with the potential of shifting some of the liability to the OP e.g. failure to meet the agreement. We've already seen such authentication guidance emerging from the FFIEC, clearly the Fed does not like the concept of an authentication free-for-all for online banking. In a commercial sense, I just don't see (higher-risk) RPs accepting identities from just any mom/pop OP; the economics just don't support this. -Justin _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
