The OpenID Foundation membership has approved OpenID Provider Authentication Policy Extension 1.0 as an OpenID specification by a vote of forty-two to three, with seven abstentions. This is a significant development for the OpenID community for two reasons: First, this is the first new specification to be developed under the OpenID Foundation’s IPR policies and procedures, which ensure that all are free to use it (like the existing approved specifications) – paving the way for additional specifications to come. Second, the PAPE specification provides an important security enhancement to OpenID Authentication, which can be used with both OpenID 1.1 and OpenID 2.0.
Specifically, the PAPE Specification enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used. With PAPE, for instance, a Relying Party can request that the OpenID Provider employ a phishing-resistant authentication method for authenticating the user, and know whether such a method was used or not. The specification can also be used to request multi-factor authentication and to learn what NIST level (or other levels) the authentication conforms to.
At the time of this writing, the working group is aware of at least four implementations of the specification: PHP, Ruby, and Python development versions from OpenID Enabled and a .NET version from the DotNetOpenID project.
The PAPE working group looks forward to seeing use of the specification help make OpenID interactions more secure in the real world!
— Mike Jones, for the PAPE Working Group