[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 20:50:08 UTC 2007


The simple answer is: if  OP or UA not complies, everything will work
as today with great danger of phishing. But I don't think it's a
problem, every OP will add this one line of HTML code to page or place
simple text/XML file in some directory, because being trusted is
important for every OP. Another "actor" is RP. For RP's it's important
to rely on trusted and solid OP's infrastructure. Maybe RP's will not
accepts logins from OP's which not implemented this? If I were a RP I
wouldn't. The last "actor" is UA. There is no requirement, only a
strong suggestion to use this method. I feel that plug-in creators
will fill the gap. Plug-ins can be distributed by OP's who care about
being trusted. There is also a possibility that OP will recognize that
user is not using a plugin and will alert him: "Hi, thanks for using
me as your IdP, but I strongly suggest to click here and download
digitally signed FooOpenSecurity plugin for FooBrowser which you
apparently use" (maybe there will be just one plug-in written in
Java?).

Does SSL specification requires UA to display a padlock? I don't think
so. Will SSL not work if padlock isn't visible? It'll work.

Damnian suggested slightly different approach. In his version (if I
understand it), UA will react earlier, when login box on RP page is
displayed. Why I prefer my version? Because it will be easier to
convince OPs than RPs (number of RPs should be much greater then
number of OPs) to comply some specs.

regards

07-01-20, Chris Messina <chris.messina at gmail.com> napisał(a):
> I'm confused on this idea, I think... What happens if someone
> *doesn't* comply with this? Will the protocol break? Will login fail?
>
> Chris
>
> On 1/20/07, Scott Kveton <scott at janrain.com> wrote:
> > I'd be curious to hear the thoughts of the spec editors on this suggestion
> > ... I think its a nice middle ground ... Doesn't require us changing the
> > Internet, would work nicely with the other suggestions and could get us
> > headed in the right direction quickly.
> >
> > - Scott


More information about the general mailing list