Monday, April 28, 2008

US Centric Assurance

NRI's Nat Sakimura considers how OpenID's PAPE deals with NIST 800-63 assurance levels.

Especially for the financial applications, there may be country specific guidelines and it would probably be better to be able to state the compliance level with that standard or legislation.

e.g., instead of just having openid.pape.nist_auth_level, having something like this may do…

openid.pape.conf_std=http://www.fsa.go.jp/guideline/online-auth.html
openid.pape.conf_level=3

As it is, NIST is hard-coded into PAPE. Another assurance framework could be retrofitted in, but it would be (relative to the NIST integration) tacked-on.

The fact that a new group is being spun-up to standardize PAPE would appear to present an opportunity to remedy the situation, except for the stipulated requirement of 'maintaining compatibility for existing Draft 2 implementations'.

No comments: