views:

26

answers:

1

I know I am missing something in reading the Provider Authentication Policy Extension spec:

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html

It reads to me that you ask the Open ID Provider (OP) to perform some extra level of authentication. The OP then responds back to you telling you if it performed that authentication or not. How does this prevent, for instance, phishing at all? Can't the OP simply lie about what authentication it did or did not do?

+1  A: 

Quoting the introduction in the document you have linked (emphasis added):

While none of the information expressed via this extension can be verified by the Relying Party using technology alone, this does not limit the utility of this extension. The lack of a single required trust model within OpenID allows for Relying Parties to decide which Providers they trust using whatever criteria they choose - likewise RPs will decide whether or not to trust claims as to authentication policy from such OpenID Providers as well.

PAPE exists merely to request the authentication method to be used, not to verify it.
It's technologically impossible to verify that, for example, the OP uses physical multi-factor auth, so the extension isn't even trying to do it.

Mewp