Provider Asserton Policy Extension – Draft 2

Published October 23, 2007
We’ve just published Draft 2 of the OpenID Provider Assertion Policy Extension which replaces Draft 1 from July of this year. This draft adds clarifications to the spec and builds on implementation experiences from JanRain, Sxip, and VeriSign. The main goal of PAPE is to allow OpenID Relying Parties the ability to request and be informed of the use of stronger and phishing-resistant authentication mechanisms. If you’re working with authentication mechanisms beyond just username and password with OpenID, we definitely recommend you take a look at PAPE. From the abstract:
This extension to the OpenID Authentication protocol provides a mechanism by which a Relying Party can request that particular authentication policies be applied by the OpenID Provider when authenticating an End User. This extension also provides a mechanism by which an OpenID Provider may inform a Relying Party which authentication policies were used. Thus a Relying Party can request that the End User authenticate, for example, using a phishing-resistant or multi-factor authentication method. This extension is not intended to provide all information regarding the quality of an OpenID Authentication assertion. Rather, it is designed to be balanced with information the Relying Party already has with regard to the OpenID Provider and the level of trust it places in it. If additional information is needed about processes such as new End User enrollment on the OpenID Provider, such information should either be transmitted out-of-band or in other extensions such as OpenID Attribute Exchange. Other aspects (e.g. security characteristics, credential provisioning, etc) could be dealt with in the future, though End User privacy concerns must be kept in mind especially when discussing enrollment procedures.