December 30, 2008
PAPE Specification Approved and Ready for Use

OpenID logoAs I just announced on openid.net, OpenID Provider Authentication Policy Extension 1.0 (PAPE) has just been just been approved as an OpenID specification. Deployment of PAPE will go a long way towards mitigating the phishing vulnerabilities of password-based OpenIDs by enabling OpenID Relying Parties to request that OpenID Providers employ phishing-resistant authentication methods when authenticating users and for OpenID Providers to inform Relying Parties whether this (and other) authentication policies were satisfied.

It’s tempting to say that the approval of the specification is the fulfillment of the promise of the OpenID/CardSpace collaboration for phishing-resistant authentication introduced by Bill Gates and Craig Mundie the RSA Security Conference last year, but it’s really just an enabling step. The true value of PAPE will come when it is widely deployed by security-conscious OpenID Relying Parties, and the use of phishing-resistant authentication methods, such as Information Cards and others, is widespread and commonplace. Let the deployments begin!

One Response to “PAPE Specification Approved and Ready for Use”

  1. Chris Messina on 31 Dec 2008 at 7:00 pm #

    Congrats Mike! What’s the plan for pushing further adoption? What’s the likely adoption curve look like?

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.