OpenID Assertion Quality Extension - Draft
Recordon, David
drecordon at verisign.com
Wed Nov 29 00:45:51 PST 2006
So this is the first public draft of the extension that Avery, Paul, and
I have been working on the past two weeks. Definitely looking for
feedback about all aspects of it and it still has some gaps, though we
wanted to put it out there for comments.
Thanks,
--David
Abstract:
This extension to the OpenID Authentication protocol provides means for
a Relying Party to request additional information about the specifics by
which a user enrolled and/or authenticated to the OpenID Provider, as
well as for an OpenID Provider to add such information into assertions.
Such information may be necessary for use cases in which, for an RP to
make an assessment of the quality of an assertion from a OP, the OP's
identity is not on its alone sufficient (as might be the case were an OP
capable of authenticating a user through various authentication
mechanisms).
While there are other aspects of lifecycle management that may bear on
the resultant quality of an OpenID Authentication assertion - enrollment
and authentication are generally the two characteristics that are most
useful in distinguishing authentication quality. Consequently, we focus
on these aspects here. We expect that other aspects (e.g. security
characteristics, credential provisioning, etc) could be dealt with in
the future.
As an extension, it requires no changes to either the Yadis protocol or
the OpenID Authentication protocol and is viewed as an optional
extension though its use is certainly recommended.
We acknowledge that, while none of the information expressed via this
extension can be verified by the Relying Party in a technological
fashion, this need not be viewed as an issue. The lack of an inherent
trust model within OpenID allows for Relying Parties to decide which OPs
they trust using whatever criteria they choose - likewise RPs will
decide whether or not to trust claims as to authentication quality from
such OPs as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openid.net/pipermail/specs/attachments/20061129/42d1dac7/attachment-0001.html
More information about the specs
mailing list