Technical Summary
This memo proposes requirements for protocols between web identity
providers and users and for requirements for protocols between
identity providers and relying parties. These requirements minimize
the likelihood that criminals will be able to gain the credentials
necessary to impersonate a user or be able to fraudulently convince
users to disclose personal information. To meet these requirements
browsers must change. Websites must never receive information such
as passwords that can be used to impersonate the user to third
parties. Browsers should perform mutual authentication and flag
situations when the target website is not authorized to accept the
identity being offered as this is a strong indication of fraud.
Working Group Summary
This is an individual submission, based on requirements that
gained consensus in the WAE BOF.
A couple of interesting discussions that came up during review
with the following results:
- Can the documents apply to environments other than the Web?
In theory, but due to author discretion and time, it does not.
- Should non-password-based mechanisms be required? Yes
Protocol Quality
Lisa Dusseault reviewed this document for the IESG. Alexey Melnikov
volunteered to shepherd and naturally reviewed the document as well.
Other careful reviews were done on request and in IETF last call.
PROTO writeup is preserved in tracker comments.
Note to RFC Editor
The shepherd has noted two references to older versions of drafts,
which will need to be fixed.
IESG Note
(Insert IESG Note here)
IANA Note
No actions are requested of IANA.