3 Jul 10:10
Re: [OpenID] PAPE yahoo?
From: James Tindall <james <at> atomless.com>
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 08:10:05 GMT
Subject: Re: [OpenID] PAPE yahoo?
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-03 08:10:05 GMT
Thanks for clearing that up Allen, much appreciated! James Allen Tom wrote: > Hi Peter, > > Yahoo issues persistent browser sessions that are valid for up to 14 > days, and the Yahoo OpenID Provider does not re-prompt for the user's > password before we send an assertion to the Relying Party. We do not > re-prompt the user for their password in order to improve the > usability of the service. > > Generally speaking, sites that authorize financial transactions > re-prompt the user for their password before authorizing the > transaction, even if the user is already logged in. > > We're definitely interested in seeing OpenID being used to authorize > high value transactions, and hopefully the new PAPE extension will > make this a reality. > > In answer to your question, currently a Yahoo OpenID is not > appropriate to protect a stored credit card number on an RP that is an > online merchant or bank. > > Allen > > > Peter Williams wrote: >> Is the yahoo limitation due to the technical nature of openid >> >> Is it due to the open nature of the openid uci model? >> >> Is the advice the same as given to folks who use alternative apis? >> >> Should I tak it as given that a yahoo openid is not appropriate for >> concluding a $1 credit card transaction? Even over verisign ssl? >> >> ________________________________ >> From: Allen Tom <atom <at> yahoo-inc.com> >> Sent: Wednesday, July 02, 2008 8:24 PM >> To: 'James Tindall' <james <at> atomless.com>; general <at> openid.net >> <general <at> openid.net> >> Subject: Re: [OpenID] PAPE yahoo? >> >> Hi James, >> >> Yahoo supports the PAPE extension specifically to mark our assertions >> with NIST Auth Level 0, to indicate that Relying Parties should not >> Yahoo OpenID assertions to authorize transactions of financial value, >> or other high value transactions. We have this documented in our FAQ >> here: >> >> http://developer.yahoo.com/openid/faq.html >> >> Thanks, >> Allen >> >> >> >> >> Drummond Reed wrote: >> >> James Tindall wrote: >> >> Hello all, >> >> I have a quick question that doesn't seem to be covered in the existing >> spec docs. >> >> If a user enters 'yahoo.com' the OpenID discovery phase yields this xrds >> document: >> >> <XRD> >> <Service priority="0"> >> <Type>http://specs.openid.net/auth/2.0/server</Type> >> <Type>http://specs.openid.net/extensions/pape/1.0</Type> >> <URI>https://open.login.yahooapis.com/openid/op/auth</URI> >> </Service> >> </XRD> >> >> Is a Relying Party to take this as meaning that the Yahoo OpenID server >> supports all PAPE policies? >> >> >> >> It depends on what you mean by "supports all PAPE policies"? >> >> The XRD above simply says that the Yahoo OpenID 2.0 server supports >> PAPE, >> which means the RP can include a PAPE request in their OpenID 2.0 >> authentication request to the Yahoo OP, and Yahoo will answer the >> request >> saying which policies it did/didn't use for authentication (e.g., was it >> phishing-proof or not?) >> >> It doesn't mean that Yahoo has to support all the potential >> authentication >> policies that the PAPE vocabulary includes. >> >> =Drummond >> >> _______________________________________________ >> general mailing list >> general <at> openid.net<mailto:general <at> openid.net> >> http://openid.net/mailman/listinfo/general >> >> >> > > -- -- ----------------------------------------- James Tindall http://www.atomless.com/ T : +44(0)1305 250 377 M : +44(0)7971 012 032 F : +44(0)1305 250 377 -----------------------------------------
RSS Feed