PAPE may be another approach (to support per-user per-RP login policies). It 
certainly will not always be “cleaner”. It is not a reason against enabling a 
discovery-based approach.

This PAPE suggestion requires the RP and OP to implement what the user wants. A 
discovery-based approach only requires the web site hosting the user’s 
identifier to implement what the user wants.

 

> The PAPE-enabled backup service requests that the OP authenticates Alice

> in a manner compliant with certain policies,

> that are satisfactory to Alice's security requirements for a backup service.

 

PAPE must be implemented by the backup service AND the OP. Alice’s policy must 
be expressible in PAPE’s language. The backup service must have a GUI for Alice 
to choose her security requirements. The backup service has to remember 
per-user login requirements – which is rather at odds with a main point of 
OpenID of the RP not having to be involved with how Alice is authenticated. 
Every other RP where Alice wants to tweak her login policy also needs to 
support this… Please don’t make this the only way to implement this style of 
feature.

 

There have always been 4 entities in an OpenID login: the user (with a 
browser); the OP; the RP; and the web site hosting the user’s identifier. The 
last entity can simply be a static HTML page, which is a huge bonus. 
Identifying the RP to this entity enables (but doesn’t require) it to be more 
than a static page – when that is useful (ie for users, circumstances and 
functions where it turns out to be the easiest implementation point).

 

        _____________________________________________
        From: Johnny Bufu [mailto:[EMAIL PROTECTED] 
        Sent: Thursday, 18 October 2007 4:15 AM
        To: Manger, James H
        Cc: specs@openid.net

         

        I believe there's a cleaner way to address this, that would not 
complicate the things that Alice needs to know about the inner workings of 
OpenID (and without her having to use different identities for different 
purposes):

         

        The PAPE-enabled backup service requests that the OP authenticates 
Alice in a manner compliant with certain policies, that are satisfactory to 
Alice's security requirements for a backup service.

 

________________________________

From: Manger, James H 
Sent: Wednesday, 17 October 2007 12:59 PM
To: 'specs@openid.net'
Subject: [OpenID] identify RP when it gets OpenID URL

…

Add the following paragraph at the end of section 7.3 Discovery:

“The Relying Party MUST include a From HTTP header field in each HTTP request 
made during discovery. The From field holds an email address for the RP (eg 
From: [EMAIL PROTECTED]) [RFC2616]. This enables the discovered information to 
vary based on the RP. The From field is not authenticated so it is not 
appropriate to use for access control.”

…

 

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to