PAPE Approved as an OpenID Specification

Posted at 4:56 am on December 31, 2008 by Mike Jones

The OpenID Foundation membership has approved OpenID Provider Authentication Policy Extension 1.0 as an OpenID specification by a vote of forty-two to three, with seven abstentions.  This is a significant development for the OpenID community for two reasons:  First, this is the first new specification to be developed under the OpenID Foundation’s IPR policies and procedures, which ensure that all are free to use it (like the existing approved specifications) – paving the way for additional specifications to come.  Second, the PAPE specification provides an important security enhancement to OpenID Authentication, which can be used with both OpenID 1.1 and OpenID 2.0.

Specifically, the PAPE Specification enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used.  With PAPE, for instance, a Relying Party can request that the OpenID Provider employ a phishing-resistant authentication method for authenticating the user, and know whether such a method was used or not.  The specification can also be used to request multi-factor authentication and to learn what NIST level (or other levels) the authentication conforms to.

At the time of this writing, the working group is aware of at least four implementations of the specification:  PHP, Ruby, and Python development versions from OpenID Enabled and a .NET version from the DotNetOpenID project.

The PAPE working group looks forward to seeing use of the specification help make OpenID interactions more secure in the real world!

– Mike Jones, for the PAPE Working Group

Tags: pape, security, specification

This entry was posted on Wednesday, December 31st, 2008 at 4:56 am and is filed under News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses to “PAPE Approved as an OpenID Specification”

1. Mike Jones: self-issued » PAPE Specification Approved and Ready for Use Says:
   December 31st, 2008 at 5:33 am

   [...] I just announced on openid.net, OpenID Provider Authentication Policy Extension 1.0 (PAPE) has just been just been approved as an [...]

2. Martin Atkins Says:
   January 2nd, 2009 at 3:42 am

   Excellent news.

3. Sylvain Maret Says:
   January 7th, 2009 at 12:53 am

   That realy a good news. I hope Web Site using OpenID will use it to order to improve Security. Like http://buxfer.com/ as an example…

   Looks like some SAML attributes. Sounds good

4. Spread OpenID » More Security for OpenID Says:
   January 7th, 2009 at 9:42 pm

   [...] in time before year’s end the Provider Authentication Policy Extension (PAPE) was approved as an OpenID specification by votes of members of the OpenID [...]

5. Monica Says:
   January 15th, 2009 at 12:42 pm

   Splendid news.

6. OpenID » Blog Archive » 2008: Momentum Says:
   January 15th, 2009 at 8:53 pm

   [...] How do I get one? « PAPE Approved as an OpenID Specification [...]

7. Medyum Says:
   June 18th, 2009 at 7:30 pm

   in time before year’s end the Provider Authentication Policy Extension (PAPE) was approved as an OpenID specification by votes of members of the OpenID

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Authenticate this comment using OpenID.