Monday, October 06, 2008


A proposal for an evolution to PAPE that digs a bit deeper than PAPE's policies - specifically
specific assertions about how a user authenticated to an OP were needed.

The proposal, in that it delves into the details of the authentication mechanism , feels closer to SAML Authentication Context than existing PAPE (indeed, the original PAPEists specifically rejected this model, citing, amongst other issues, 'privacy concerns')
  • method = {password, otp, pki, biometric}
    The authentication method must contain one or more of these elements in the set. We chose 4 of the most common authentication methods today. This set could be expanded in the future.
  • = {mode, token_type, consent, length, encoding, algorithm}
    This parameter contains detailed information about the type of One-Time Password token and service that was used during authentication. Consent is defined by the additional factor of authentication needed to use the OTP (such as a passphrase or biometric).
  • = {storage, algorithm, policy, consent}
    This parameter contains detailed information about the private key used in a challenge-response with PKI authentication. (e.g. “hardware”, “RSA_1024″, “not exportable”, “passphrase”)

'Biometric' seems optimistic.


Brian Kelly said...

Paul, just wanted to make a quick comment on the "biometric" method. Indeed, it is optimistic, but we wanted to make sure that we at least referenced it as a method.

password, pki and otp have much more detailed attributes in PAPE-AM. None of the authors are biometric experts, but we could see the spec expanding to include the same level of detail for biometric based authentication. Also, biometric is a much broader authentication method than pki or otp. Lots of changes still going on in that space.

Sylvain Maret said...


Biometric method should be listed as Authentication Method.

Biometric is not so optimistic.

I did a Proof of Concept with OpenID and Biometric. Have a look:

Sylvain Maret