<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Siddharth,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I hate to disappoint you and those who have worked on this
draft, but both as the PAPE working group was chartered and as per the
subsequent discussions on the working group list, any specification of specific
authentication mechanisms is explicitly out of scope for PAPE. The approved
charter includes the language:<o:p></o:p></span></p>
<p class=MsoNormal style='margin-left:.5in'>
<b>(iii)</b> Scope: … Adding any support for
communicating requests for or the use of specific authentication methods (as
opposed to authentication policies) is explicitly out of scope.<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>My September 22<sup>nd</sup> response on the working group list
to Tatsuki Sakushima gave some of the reasons for this:<o:p></o:p></span></p>
<p class=MsoPlainText style='margin-left:.5in'>One of the core compromises that
enabled the development of PAPE in the first place is that it is a vocabulary
for communicating *only* authentication policies -- not specific authentication
mechanisms. (In fact, the second "P" in PAPE stands for
"Policy".) The participants agreed that if people wanted to
communicate specific methods ("I used a password", "I used a
password with a software OTP", "I used a client-side certificate not
in the trusted root certificate store", "I used a visual
secret", ...) that a different specification should be produced to do
that. If someone does that in another working group that's fine by me,
but that work is explicitly out of scope for the PAPE working group.<o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’m sorry if the PAPE scope wasn’t clear to those of
you who produced this document or if you were unaware of it. But I’d
rather be clear with you at this point than to have you believe that we can
entertain this proposal within the PAPE working group. We are explicitly
prohibited from doing so.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I *<b>would</b>* support you creating a different OpenID Working
group to create a Provider Authentication Mechanism Extension (PAME)
specification. (In fact, I’d probably join it.) As per the discussions
that led to the creation of PAPE drafts 1 and 2, then we can let the market
decide, which is a good thing. If people believe that knowing the
policies used is sufficient, the PAPE spec will be used. If people want
to know specific mechanisms and a spec is created to communicate them, then
that will be used. It should also be possible to use them in combination.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Feel free to call my mobile phone (425) 985-8916 if you’d
like to discuss this further.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> Best
wishes,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> --
Mike<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
specs-pape-bounces@openid.net [mailto:specs-pape-bounces@openid.net] <b>On
Behalf Of </b>Bajaj, Siddharth<br>
<b>Sent:</b> Monday, September 29, 2008 12:46 PM<br>
<b>To:</b> specs-pape@openid.net<br>
<b>Cc:</b> Brian Kelly; taylor.venable@trustbearer.com<br>
<b>Subject:</b> [specs-pape] Proposed PAPE Addendum for Authentication
Mechanisms (PAPE-AM)<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>To
the PAPE Working Group: </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Please
find a draft called 'Provider Authentication Policy Extension - Authentication
Mechansims (PAPE-AM)'. This addendum is intended to extend the policies
supported by the existing PAPE specification. PAPE-AM enables OpenID providers
to provide more granular policies and information to the Relying Parties. </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>For
example, Relying Parties will be able to request that the end user authenticate
to the OpenID Provider using certain forms of credentials such as a digital
certificate on smart card issued by a particular organization, an OTP token, or
that OpenID users be authenticated to the provider under other certain specific
security-related conditions. </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Specifically,
this addendum currently covers four areas which relate to the assurance of
an authentication against the OpenID provider. Three of these areas govern
the actual authentication process and method: PKI, OTP, and password. An
additional category governs the channel security used in the connection
which established the authenticated session.</span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
authors have deliberated on each of the attributes below and have tried to keep
a sensible balance between simplicity and functionality. They identify some use
cases where such granular control would be beneficial to the Relying Parties. </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
authors want to submit this work to the PAPE WG for consideration to be
included in the PAPE specification or as appropriate. </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thank
you for your consideration, </span><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Taylor
Venable, Brian Kelly, Mingliang Pei, Siddharth Bajaj & Daniel Perry. </span><o:p></o:p></p>
</div>
</div>
</body>
</html>