3 Jul 06:36
Re: [OpenID] PAPE yahoo?
From: Allen Tom <atom <at> yahoo-inc.com>
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 04:36:29 GMT
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 04:36:29 GMT
Hi Peter, Yahoo issues persistent browser sessions that are valid for up to 14 days, and the Yahoo OpenID Provider does not re-prompt for the user's password before we send an assertion to the Relying Party. We do not re-prompt the user for their password in order to improve the usability of the service. Generally speaking, sites that authorize financial transactions re-prompt the user for their password before authorizing the transaction, even if the user is already logged in. We're definitely interested in seeing OpenID being used to authorize high value transactions, and hopefully the new PAPE extension will make this a reality. In answer to your question, currently a Yahoo OpenID is not appropriate to protect a stored credit card number on an RP that is an online merchant or bank. Allen Peter Williams wrote: > Is the yahoo limitation due to the technical nature of openid > > Is it due to the open nature of the openid uci model? > > Is the advice the same as given to folks who use alternative apis? > > Should I tak it as given that a yahoo openid is not appropriate for concluding a $1 credit card transaction? Even over verisign ssl? > > ________________________________ > From: Allen Tom <atom <at> yahoo-inc.com> > Sent: Wednesday, July 02, 2008 8:24 PM > To: 'James Tindall' <james <at> atomless.com>; general <at> openid.net <general <at> openid.net> > Subject: Re: [OpenID] PAPE yahoo? > > Hi James, > > Yahoo supports the PAPE extension specifically to mark our assertions with NIST Auth Level 0, to indicate that Relying Parties should not Yahoo OpenID assertions to authorize transactions of financial value, or other high value transactions. We have this documented in our FAQ here: > > http://developer.yahoo.com/openid/faq.html > > Thanks, > Allen > > > > > Drummond Reed wrote: > > James Tindall wrote: > > Hello all, > > I have a quick question that doesn't seem to be covered in the existing > spec docs. > > If a user enters 'yahoo.com' the OpenID discovery phase yields this xrds > document: > > <XRD> > <Service priority="0"> > <Type>http://specs.openid.net/auth/2.0/server</Type> > <Type>http://specs.openid.net/extensions/pape/1.0</Type> > <URI>https://open.login.yahooapis.com/openid/op/auth</URI> > </Service> > </XRD> > > Is a Relying Party to take this as meaning that the Yahoo OpenID server > supports all PAPE policies? > > > > It depends on what you mean by "supports all PAPE policies"? > > The XRD above simply says that the Yahoo OpenID 2.0 server supports PAPE, > which means the RP can include a PAPE request in their OpenID 2.0 > authentication request to the Yahoo OP, and Yahoo will answer the request > saying which policies it did/didn't use for authentication (e.g., was it > phishing-proof or not?) > > It doesn't mean that Yahoo has to support all the potential authentication > policies that the PAPE vocabulary includes. > > =Drummond > > _______________________________________________ > general mailing list > general <at> openid.net<mailto:general <at> openid.net> > http://openid.net/mailman/listinfo/general > > >
RSS Feed