Ben, On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > OK, the idea is pretty simple. Rather like the "OpenID Authentication > Security Profiles" you have a profile where the RP states what kind of > End User/OP authentication is acceptable to it. Sites with low/zero > value attached to the login can accept any kind of EU/OP auth, whereas > high value sites can require "unphishable" auth.
I like the sound of this proposal, but I don't see how the RP could know whether the OP is actually using "unphishable" authentication when that kind of authentication is requested. Is it necessary for the RP to be able to tell for sure, and if so, how could it tell? Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs