Re: [dix] Re: [Ietf-http-auth] BOF Request: WARP - Web Authentication Resistant to Phishing

[Sam Hartman <hartmans-ietf at mit.edu>]

>>>>> "Eric" == Eric Rescorla <ekr at networkresonance.com> writes:

    Eric> Sam Hartman <hartmans-ietf at mit.edu> writes:
    >>>>>>> "Eric" == Eric Rescorla <ekr at networkresonance.com> writes:
    >>
    Eric> Sam Hartman <hartmans-ietf at mit.edu> writes:
    >> >>>>>>> "Pete" == Pete Rowley <prowley at redhat.com> writes:
    >> >>
    Pete> It is a requirement if you require to support more than
    Pete> authN.  Access to a site might require an "I am over 21"
    Pete> token, authZ without direct authN - DIX supports that, and I
    Pete> believe it is important to do so.
    >> >> I think the over-21 example is particularly bad because I >>
    >> cannot imagine a site (at least in the US) not taking >>
    >> responsibility for that check themselves based on demographic
    >> >> data they request.  It seems like way too much of a risk to
    >> >> outsource this to an identity provider especially if you
    >> allow >> identities from a number of different identity
    >> providers.
    >> 
    Eric> I'm surprised to see you make this claim, since outsourced
    Eric> adult verification services for porn sites are extremely
    Eric> common.
    >>  My point is that I expect the porn site to have a contract
    >> with some verification service they trust and not to want to
    >> handle that data transport through the identity exchange.

    Eric> I'm not sure I see the distinction here.

The distinction is layer 9; I don't think there is a technical distincition.

It is my impression mostly from financial sector businesses that you
are going to see people verifying this information themselves (through
a separate exchange with a business partner) rather than trusting the
same assertion signed as part of the identity exchange.


--Sam

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix