+ [...] For example it is recommended that if the OP + specified the Multi-Factor Physical Authentication policy and the RP + requested the Multi-Factor Authentication policy, that the RP's + requirements were met.
This puts undue requirements on the RP implementations. As a design principle, I believe the goals were to make required effort and adoption and as easy as possible for RPs, and have more happening on the OP where possible. I would at least complement, if not replace, this patch with: "For example, if the RP requested Multi-Factor and the OP supports Multi-Factor Physical, it is recommended that the OP includes both policies in the response." As I argued on the osis list, the OP is in the best position to make judgments about the qualities of its authentication mechanisms, and it should respond to the point to the RP's requests. What if the RP knows what Multi-Factor means, but has no idea (and no interest) in Multi-Factor-Physical? Johnny _______________________________________________ specs mailing list firstname.lastname@example.org http://openid.net/mailman/listinfo/specs