The OpenID Provider Authentication Policy Extension (PAPE) specification enables an OpenID Relying Party to request that the OpenID Provider satisfy a set of policies specified by the RP when the OP logs the user in. And it likewise enables the OP to reply to the RP saying which of the policies it satisfied.
One of these policies lets the RP request that the OP perform phishing-resistant authentication, the need for which has been discussed here and elsewhere. Another capability I’m a fan of is the ability for the RP to “freshness date” the login, requiring that the OP actively authenticate the user if the current authentication was performed longer ago than an RP-specified number of seconds.
The PAPE Working Group just recommended that the OpenID Foundation members approve the current draft (Draft 7) as an OpenID specification. Today starts a 60 day review period required as part of the OpenID specification process, which occurs prior to an approval vote by the members. PAPE is the first new specification to be produced under this process, and I’m pleased as an OpenID board member to report we now have an existence proof that the process works (or more precisely, we will once this specification is approved).
There are already four implementations of this spec in existence and even better, there are public testing endpoints for these implementations where you can kick the tires. You can try the DotNetOpenId and JanRain implementations at these sites:
- http://nerdbank.org/pape.demo/
- http://openidenabled.com/php-openid/trunk/examples/consumer/ and http://openidenabled.com/php-openid/trunk/examples/server/server.php
- http://openidenabled.com/python-openid/trunk/examples/consumer/ and http://openidenabled.com/python-openid/trunk/examples/server/
- http://openidenabled.com/ruby-openid/trunk/examples/consumer/ and http://openidenabled.com/ruby-openid/trunk/examples/
You should also be able to test the relying parties with signon.com and myopenid.com, which currently implement earlier drafts, since the authentication policy syntax didn’t change.
This spec was a collaborative effort among a number of people. David Recordon wrote the initial drafts last year, with input from the people thanked in Draft 2. Since then, Nat Sakimura was responsible for the generalization of the authentication levels to enable levels other than just those defined by NIST be used. Ben Laurie was an ardent and practical security advocate (as always). Allen Tom was a proponent of the strong “level 0” description. Andrew Arnott of the DotNetOpenId project shared his experiences building an independent implementation with the working group, helping improve the specification. And John Bradley was a never-ending source of common sense, although he would deny it to your face if asked.
Leave a Reply
You must be logged in to post a comment.