[OpenID] Another Anti-Phishing Scheme for OpenID

Aswath Rao aswathr at hotmail.com
Sat Feb 3 19:42:36 UTC 2007

Thanks for the pointer. I had seen the tem used in the brainstorm article in 
the wiki, but I never tracked it down.


----Original Message Follows----
From: "Bob Wyman" <bob at wyman.us>
To: "Aswath Rao" <aswathr at hotmail.com>
CC: general at openid.net
Subject: Re: [OpenID] Another Anti-Phishing Scheme for OpenID
Date: Sat, 3 Feb 2007 12:17:58 -0500

On 2/3/07, Aswath Rao <aswathr at hotmail.com> wrote:> I have a proposal for a
login ceremony that could drastically reduce
>phishing attacks. I would appreciate feedback from you.

What you describe is an "in-chrome" solution -- i.e. one that involves a
modification  to the browser in the form of either a plug-in or built-in
code. This class of solutions is, I think, the correct path to take. Most of
the other approaches that have been proposed can be described as
"work-arounds" to the fact that such in-chrome solutions are not deployed.

Folk tend to avoid specifying in-chrome solutions since they are all too
well aware that as the number of suppliers of browsers has been reduced, the
amount of browser innovation has been seriously reduced. Certainly, the
proponents of these often ugly work-arounds have a point, however, I think
we should bite the bullet and accept that in-chrome solutions are
technically the best and also those that offer the best potential for good
user experiences. Instead of seeking more work-arounds, we should be
focusing on the political problem of figuring out how do we get the browser
developers to deliver the tools we require to provide a safe browsing

bob wyman

More information about the general mailing list