On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > > Security Profiles" you have a profile where the RP states what kind of > > > End User/OP authentication is acceptable to it. Sites with low/zero > > > value attached to the login can accept any kind of EU/OP auth, whereas > > > high value sites can require "unphishable" auth. > > > > I like the sound of this proposal, but I don't see how the RP could > > know whether the OP is actually using "unphishable" authentication > > when that kind of authentication is requested. Is it necessary for the > > RP to be able to tell for sure, and if so, how could it tell? > > No, I don't think it is necessary. If users want to trust their > identity to OPs that lie, that's their decision.
In that case, I think this could just be part of the "Assertion Quality Extension." [1] I haven't been involved in that specification at all, but my understanding is that it provides a way of expressing what kind of authentication the RP would like to have when a request is made to the OP. Josh 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs