[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)
marcin.jagodzinski at gmail.com
Fri Jan 19 16:31:02 UTC 2007
You're right, this perhaps is out of scope of spec, but I think it's
as important as specs. Maybe we should create some page (wiki?) with
"good practices" of ensuring security of OP?
2007/1/19, Scott Kveton <scott at janrain.com>:
> This is much like what the Yahoo site seal does today. The seal is user
> chosen and not tied to the login ... There is more magic to it though as I
> understand there is some flash in there too? You could do this with a
> question like you mention, an image, etc.
> I think the reality is that we'll need a combination of these options for
> the users, most likely with the default set to "paranoid" and then they
> would have the option of disabling if they so choose.
> It doesn't seem like any of these are in the scope of the OpenID spec (not
> that they have to, but its interesting that they aren't).
> - Scott
More information about the general