Over the past few weeks I've been working on the OpenID Provider Authentication Policy Extension which is designed to replace the work I did last year with the Assertion Quality Extension.
Generally, the goal of this extension is to provide Relying Parties with more information about how the End User authenticated to their Provider. This is done by a mix of the RP requesting certain policies (such as phishing-resistant or multi-factor), the OP helping the End User through the authentication process, and then in the OpenID Authentication response including the policies that were met as well as optionally a strength level for the overall authentication. This extension doesn't speak at all toward trust of the End User or Provider, so RPs will still have to decide if they believe the information returned about the authentication in the response. So please, check it out and let me know what you think...especially around the questions in the Editorial Comments section at the end. http://openid.net/specs/openid-provider-authentication-policy-extension- 1_0-01.html http://openid.net/specs/openid-provider-authentication-policy-extension- 1_0-01.txt Thanks, --David _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
