OpenID 2.0 proposed security profiles

[Dick Hardt]

On 31-Aug-06, at 9:57 AM, Martin Atkins wrote:

>
> I'm starting to come around to this profile-negotiation idea, but I  
> still have a few comments...
>
> Granqvist, Hans wrote:
>>  The names "A" and "B" should of course be discussed. I don't
>> want to name then "low security" and "medium security" as
>> such distinctions carry implications and liabilities. (There
>> is also a risk of security creep that forces definitions to change  
>> over time -- what is now 'medium security' could be 'low security'  
>> in a few years, and possibly 'useless security' in yet another few  
>> years. But the definition will be stuck as
>> 'medium security' forever.)
>
> I think A and B are just as bad as "low" and "medium". Let's  
> instead name them after what they actually do, so I don't have to  
> remember that "A is the one that doesn't require ... " (I've  
> forgotten already, so I can't finish that sentence)
>
> Obviously it'll be tricky to come up with a terse way to name them,  
> but even if it just calls out one major difference between the two  
> it'd be better than completely arbitrary labels, especially since  
> we're likely to start adding profiles C, D and E in the future when  
> situations change.

I think that there are different levels is good. Having a name like  
"low security" is not good.

> I realise that this is nit-picking, but I would like it if the  
> "auth" here was changed to "authen", just so it's clear that we're  
> talking about authentication rather than authorization. In the URIs  
> for earlier versions I suggested "signon" to avoid calling it  
> "auth", but "authen"'s probably a clearer term.

Industry terms are AuthN and AuthZ to differentiate between  
authentication and authorization