[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Fri Jan 19 16:31:02 UTC 2007


You're right, this perhaps is out of scope of spec, but I think it's
as important as specs. Maybe we should create some page (wiki?) with
"good practices" of ensuring security of OP?

regards,

Marcin

2007/1/19, Scott Kveton <scott at janrain.com>:

> This is much like what the Yahoo site seal does today.  The seal is user
> chosen and not tied to the login ... There is more magic to it though as I
> understand there is some flash in there too?  You could do this with a
> question like you mention, an image, etc.
>
> I think the reality is that we'll need a combination of these options for
> the users, most likely with the default set to "paranoid" and then they
> would have the option of disabling if they so choose.
>
> It doesn't seem like any of these are in the scope of the OpenID spec (not
> that they have to, but its interesting that they aren't).
>
> - Scott
>
>



More information about the general mailing list