OpenID 2.0 proposed security profiles
Dick Hardt
dick at sxip.com
Thu Aug 31 17:05:06 UTC 2006
On 31-Aug-06, at 9:57 AM, Martin Atkins wrote:
>
> I'm starting to come around to this profile-negotiation idea, but I
> still have a few comments...
>
> Granqvist, Hans wrote:
>> The names "A" and "B" should of course be discussed. I don't
>> want to name then "low security" and "medium security" as
>> such distinctions carry implications and liabilities. (There
>> is also a risk of security creep that forces definitions to change
>> over time -- what is now 'medium security' could be 'low security'
>> in a few years, and possibly 'useless security' in yet another few
>> years. But the definition will be stuck as
>> 'medium security' forever.)
>
> I think A and B are just as bad as "low" and "medium". Let's
> instead name them after what they actually do, so I don't have to
> remember that "A is the one that doesn't require ... " (I've
> forgotten already, so I can't finish that sentence)
>
> Obviously it'll be tricky to come up with a terse way to name them,
> but even if it just calls out one major difference between the two
> it'd be better than completely arbitrary labels, especially since
> we're likely to start adding profiles C, D and E in the future when
> situations change.
I think that there are different levels is good. Having a name like
"low security" is not good.
> I realise that this is nit-picking, but I would like it if the
> "auth" here was changed to "authen", just so it's clear that we're
> talking about authentication rather than authorization. In the URIs
> for earlier versions I suggested "signon" to avoid calling it
> "auth", but "authen"'s probably a clearer term.
Industry terms are AuthN and AuthZ to differentiate between
authentication and authorization
More information about the yadis
mailing list