[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Sat Jan 20 05:52:25 UTC 2007

Hi Scott - firstly, thanks for the considerable reply.

>>> On Saturday, January 20, 2007 at 15:50, in message
<C1D6DF84.27293%scott at janrain.com>, Scott Kveton <scott at janrain.com>
wrote:
>>  Firstly - I don't have an answer - I don't even have a vague
suggestion...
>> I completely understand that it is not an OpenId issue. - it effects
all www
>> traffic.
> 
> Therein lies the biggest problem.

I completely agree - and again don't pretend or a second to have the
answer. And with all the knowledge / experiences that exist within the
list - I think it just goes to show how complex the problem is - that
there still isn't a "definitive" answer.

>> How can it be considered out of spec for OpenId, if the mechanics of
OpenId
>> authentication seem to assist phishing?
>> I clearly see it being something that can hold up the official
release of
>> OpenId 2.0 for a pretty lengthy time - and I realise nobody wants
that to
>> happen. 
> 
> Phishing is a _huge_ problem ... By huge I don't mean its happening
all over
> the place, I mean its an the-Internet-Sucks problem.  That alone is
reason
> enough to leave it as out-of-scope for OpenID.  In addition to that
(and
> others have mentioned this here, I'm merely repeating), auth via a
form is
> just one way of doing OpenID authentication.  Two factor, FOP, etc
are all
> options here so putting "phishing for via a form" into the spec is
> out-of-scope for this document.

> Now, let's be realistic.  The majority of users (at least in the near
term)
> will be using a forms via redirects for logins.  The ideas here on
the list
> are all great and I think putting them all together gives us quite a
> reasonable defense against phishing.  Moreover, the better the
anti-phishing
> technologies get for OpenID, the better they get for the Internet. 
I
> honestly believe that this is a huge opportunity for OpenID ... If we
can
> get it right then that can be a significant driver for OpenID.  After
all,
> then you'd only have to worry about your identity provider having the
right
> technologies to protect you, not every site that you go to.

I do follow and understand your point of view as to why you think it is
out of spec for the OpenId Protocol.
I agree with you.
I have invited my colleagues to join the list and get involved. I still
hope to persuade them.

> I like the idea of having a separate specification or appendix on how
you
> deal with phishing.  I also think the finer points of this discussion
should
> end up in the FAQ; everyone keeps rehashing the same arguments and it
would
> be nice to be able to just point at a FAQ.

Well I certainly think it is a great idea - and certainly agree with
the idea of using the wiki appropriately and creating an "authorative"
FAQ. / technical document repository etc.

=gavin.baumanis