Thursday, October 09, 2008

I love the smell of PAPE in the morning

Thinking more about the PAPE-AM (please note cute time of day reference in title) model, which is to describe the specifics of an authentication mechanism rather than the more abstract security characteristics that that mechanism can engender (the PAPE model).

As I understand it, one of the reasons that PAPE originally disavowed the 'specific method' model is the concern that, for the OP to disclose this fact to RPs would present a privacy risk to the User, as the knowledge would give a malicious RP a (theoretical) advantage in hacking that User's account at the IDP.

I've never bought this argument:
  1. Given OpenID's (and the SAML Web SSO profile to a slightly lesser extent) well-known vulnerability to phishing, if I was a bad RP, I can think of an easier way to get the User's IDP credential.
  2. security through obscurity? 
And even were I to grant the possibility that the RP might misuse the information, why should this particular bit of PII be treated any different than another attribute, e.g. my shipping address. Minimal disclosure is definitely applicable here, but let's acknowledge that different RPs will have different views of just what level of detail is minimal and still useful.
Separately, I don't buy at all Mike's argument that PAPE, as it is a 'policy' extension, is not the place for expressing specific authentication mechanisms. It's all policy. And it's a distinction that WS-Security Policy is happy to ignore.

No comments: