[OpenID] OpenID and phishing
Ka-Ping Yee
openid at zesty.ca
Sat Jan 20 22:48:47 UTC 2007
On Sat, 20 Jan 2007, Mike Beltzner wrote:
> Again, we're agreeing, and I think you'll find that assuming that
> things are black & white (ie: that either people care about
> phishing, or that they don't) will make this conversation ultimately
> less fruitful.
If what I said implied that assumption, then I regret it. Taking into
account users' non-binary perceptions of effort and risk is definitely
the right way to look at this problem.
> So let's work together so that deploying OpenID *doesn't* neccessarily
> mean significantly increasing the risk of phishing (eg: "no
> regressions") but not be so specific that the OpenID specification
> ends up limiting future implementations that might, as Chris says, be
> smarter than us and have better ways for preventing phishing.
I agree.
> > The spec should openly acknowledge that the current practice, which
> > is also the most illustrated practice, is not safe, and outline why.
>
> Yup.
Good!
> > On the other hand, it is probably a good idea to legislate or strongly
> > recommend *against* the specific practice we know to be dangerous --
> > redirecting from a validation request straight to a username/password
> > login form -- and this practice should not be used in examples.
> >
> > Can we agree on that?
>
> Yup.
Hooray. We all win!
-- ?!ng
More information about the general
mailing list