[OpenID] OpenID and phishing
johnny at sxip.com
Sat Jan 20 22:42:15 UTC 2007
>> On 1/20/07 8:27 AM, "Marcin Jagodziński"
>> <marcin.jagodzinski at gmail.com>
>>> "OP MUST contain [...] markup which can be read by UA to distinguish
>>> it from other login pages"
>>> "UA MAY use it to present some special GUI and take other steps to
>>> prevent phishing" (or maybe SHOULD).
> On 1/20/07, Scott Kveton <scott at janrain.com> wrote:
>> I'd be curious to hear the thoughts of the spec editors on this
>> ... I think its a nice middle ground ... Doesn't require us
>> changing the
>> Internet, would work nicely with the other suggestions and could
>> get us
>> headed in the right direction quickly.
On 20-Jan-07, at 12:21 PM, Chris Messina wrote:
> I'm confused on this idea, I think... What happens if someone
> *doesn't* comply with this? Will the protocol break? Will login fail?
Exactly! As much as I would like to have these as MUSTs in the real
world, I don't see a way to put them in the spec as requirements.
Having a MUST implies that, if it is not complied with, the party at
the other end of the transaction MUST fail. And therein lies the
problem: OP - end user authentication is out of scope of the OpenID
spec. If it weren't, an OpenID-speaking entity would be needed on the
user side during that transaction.
no-password.com can be a compliant OP, if it (and its users) choose
to not care about security at this stage.
So the only way to tie the OP - end user authentication with the spec
is with security recommendations for the OPs that *are* concerned
with security. And this part is currently mentioned in the spec, by
acknowledging the attack and pointing out that a secure channel
between the OP and the user is needed to prevent it.
Of course, the problem remains if no-password.com markets itself as
super-secure-op.com, fools users into using it, and later on the
users want to use these identities to login to their banks.
So the issue (as I see it) is making the users aware that, if online
identity is important to them, the trust associated with the
relationship they have with their identity "keepers" - the OPs -
should be similar to the trust they have in their banks for keeping
More information about the general