[OpenID] OpenID and phishing

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 23:01:13 UTC 2007


Maybe my view at specs is biased, I'm coming from web development
world, where specs and reality we two different realms. But no one
wanted eg. the "alt" attribute to be removed from specs just because
images were displayed even when "alt" is omitted and there are many
pages, where "alt" is omitted. "alt" is mandatory for <img> tag. The
same situation here.

I don't think that if OP MUST include claim (to UA, not to RP) "I am
OP" in any form, the RP MUST check it and whole transaction MUST fall
if OP does not claim this.

But maybe you're right, that this is out of scope, I'm not insisting
on putting it into specs. I'd feel much safer if it will be used, not
just specified.

regards,

Marcin

> On 20-Jan-07, at 12:21 PM, Chris Messina wrote:
> > I'm confused on this idea, I think... What happens if someone
> > *doesn't* comply with this? Will the protocol break? Will login fail?
>
> Exactly! As much as I would like to have these as MUSTs in the real
> world, I don't see a way to put them in the spec as requirements.
>
> Having a MUST implies that, if it is not complied with, the party at
> the other end of the transaction MUST fail. And therein lies the
> problem: OP - end user authentication is out of scope of the OpenID
> spec. If it weren't, an OpenID-speaking entity would be needed on the
> user side during that transaction.
>
> no-password.com can be a compliant OP, if it (and its users) choose
> to not care about security at this stage.
>
> So the only way to tie the OP - end user authentication with the spec
> is with security recommendations for the OPs that *are* concerned
> with security. And this part is currently mentioned in the spec, by
> acknowledging the attack and pointing out that a secure channel
> between the OP and the user is needed to prevent it.
>
> Of course, the problem remains if no-password.com markets itself as
> super-secure-op.com, fools users into using it, and later on the
> users want to use these identities to login to their banks.
>
> So the issue (as I see it) is making the users aware that, if online
> identity is important to them, the trust associated with the
> relationship they have with their identity "keepers" - the OPs -
> should be similar to the trust they have in their banks for keeping
> their money.
>
>
> Johnny
>
>
>



More information about the general mailing list