Re: [dix] Re: [Ietf-http-auth] BOF Request: WARP - Web Authentication Resistant to Phishing

[John Merrells <merrells at sxip.com>]

On 5-Jun-06, at 2:00 PM, Sam Hartman wrote:

> > > > > > "Eric" == Eric Rescorla <ekr at networkresonance.com> writes:
>
>     Eric> Sam Hartman <hartmans-ietf at mit.edu> writes:
> > > > > > > > "Pete" == Pete Rowley <prowley at redhat.com> writes:
>     Pete> It is a requirement if you require to support more than
>     Pete> authN.  Access to a site might require an "I am over 21"
>     Pete> token, authZ without direct authN - DIX supports that, and I
>     Pete> believe it is important to do so.
> > >  I think the over-21 example is particularly bad because I
> > > cannot imagine a site (at least in the US) not taking
> > > responsibility for that check themselves based on demographic
> > > data they request.  It seems like way too much of a risk to
> > > outsource this to an identity provider especially if you allow
> > > identities from a number of different identity providers.
>
>     Eric> I'm surprised to see you make this claim, since outsourced
>     Eric> adult verification services for porn sites are extremely
>     Eric> common.
>
> My point is that I expect the porn site to have a contract with some
> verification service they trust

They would in both cases. They 'trust' the authority, and they need
a mechanism to verify the claim.

> and not to want to handle that data
> transport through the identity exchange.

Why not? It costs less to implement. The Service Provider just has
to state up front what it's policy is wrt to the set of claims it  
requires
to permit access to the requested content. The claims are some
kind of signed blob (eg SAML assertion)... why would they care if
it came in with the user's 'login' to the site?

John



_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix