[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Sat Jan 20 16:00:14 UTC 2007 

> I think that whole login process for OP should have very different UI
> than "normal login". The question is: how to distinguish between OP
> login and other logins.
> 
> This IS a specification issue.
> 
> I think that we should include in spec requirement which says that OP
> has to inform UA that "this is OpenID OP" (using perhaps <meta>
> element in HTML). The UA CAN change its UI when it's informed that the
> page claims to be OP.

This is much like the CardSpace model (if I'm not mistaken).  However, I
think there is more of a MUST in there for CardSpace.

I know Dick floated the idea of having a bit of markup that can be detected
by the UA to initiate some UI change to make it clear that the user is
logging into their OP.  I like the idea as long as its not a MUST.  The
reason I don't like the MUST is that I'm afraid that getting support for it
in every UA (phones, browsers, etc) will take time and stunt adoption of
OpenID.
 
> How will UA reflect the fact that user is browsing site which claims
> to be OP: this is up to
> UA implementation.
> 
> But I strongly feel that OP should inform the UA about being an OP and
> this should be part of OpenID spec.

Let's all not forget that the best part about OpenID 2.0 is that there will
be an OpenID 2.1, 3.0 ... Maybe even XP, Vista or 2008 (I kid).  Putting a
requirement like the above on OpenID 2.0 will halt adoption ... We can't
demand that browsers and other user agents change before we move forward
IMHO.

That said, I'm glad that draft 11 has sparked this discussion ... Its going
to help us start moving _toward_ the ideal ... And as we iterate with OpenID
it will get better and better.  In the name of moving forward it sounds like
we need the following:

* FAQ in the wiki about phishing
* Start an appendix/specification/something about best practices for
phishing when it comes to OpenID.  I'm suggesting that this is outside of
the authentication spec.
* Continue discussions with Mozilla and start them with IE and others to
help get the bits of code on the client that can help alleviate some of the
concerns with phishing.

Thoughts?

- Scott

More information about the general mailing list