Hey all,
It turned out that from the OSIS interoperability event in Barcelona a
call was scheduled to discuss PAPE issues from the interop. I heard
about the call a few minutes before, but Mike, Johnny, and I had a
really productive call. If no one disagrees, we should get these
edits into the spec and release draft 3.
Thanks,
--David
Begin forwarded message:
From: Mike Jones <[EMAIL PROTECTED]>
Date: November 1, 2007 10:04:02 PM GMT+01:00
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, Johnny Bufu <[EMAIL PROTECTED]
>, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Subject: OSIS PAPE call results
Today we held the call discussing OSIS feedback on the PAPE spec.
Topics covered and recommendations made on the call were:
- Authorization decisions should be made solely by the relying
party. The identity provider should accurately report the status of
all policies requested by the relying party that the authentication
complies with and may also choose to report the status of any
policies that apply that were not explicitly requested. The
policies are not mutually exclusive and no relationship between the
different policies should be implied. A clarification to this
effect should be added to the draft.
- There was a request for a definition of Active Authentication as
used in the auth_time element description. Intuitively, this
involves at least having the user being at the machine as a
participant in the authentication interaction in some manner. We
agreed that we should look for an existing definition of active
authentication that appears to apply.
- The table in Appendix A.1.1 of http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html
needs to be updated to be consistent with the definition in Section
4. Specifically:
PIN and soft OTP token should not be marked as phishing-
resistant.
PIN and hard OTP token should not be marked as phishing-
resistant.
Information Cards should be added and listed as phishing-
resistant.
Active password managers that only release the password
to the correct site should be listed as phishing-resistant.
- If relying parties and OPs want to communicate actual
authentication methods used, that should happen via a different spec
than PAPE. Then the market can decide whether to use PAPE, this
spec, both, or neither. (However some in the group have both
privacy concerns about this and concerns about enabling attackers by
giving them additional information to use in their attacks.)
Finally, while we failed to discuss this on the call, I also believe
that:
PIN and digital certificate via HTTPS is phishable if
the same certificate value is released to every site.
PIN and digital certificate via HTTPS is not phishable
if a different certificate value is released to every site.
and that the table should be updated accordingly in this case as
well. Someone who's an expert in this method should pipe in and
provide guidance.
Thanks all!
-- Mike
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs