[OpenID] OpenID and phishing

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sun Jan 21 10:03:26 UTC 2007


It's not ""merely" to help prevent abuse that is prevalent
today and you're starting to stray outside the focus of the spec."
Many parts of spec are just to prevent some security threats. And in
this case "self claim" can be used not only to prevent phishing (I may
be used for autodiscovery of OP services for example).

I don't know why we should stay away from UA related stuff. I know
OpenID is about RPs and OPs, but UA IS a part of this story. There
always is some UA interacting with RP/OP.

> Furthermore, XHTML, as has been pointed out, may not be the only
> interface by which someone logs into their account: consider Flash
> logins, XAML, Apollo and the like... languages and binaries that are
> not necessarily easy to solicit such "identifying marks" from.

I'm not proposing any particular syntax for this claim. Maybe we can
work out something that is cross-platform?

> And lastly, what should the UA do in the case of a login form that
> self-identifies as you suggest, but is not at all what it claims to
> be? Can or should the UA be able to disambiguate a real from a fake?
> Or to somehow know when the markup you're suggesting is being used
> correctly?

It's up to UA. Can UA  be able to disambiguate a real from a fake?
Yes, in many cases it can.  Eg. OP is blacklisted and is not
whitelisted anywhere and UA never seen the page before: it's almost
certainly a fake. In other cases, UA should warn the user, and respect
her decision.

regards,

Marcin

PS. I'm cross posting this to security list.



More information about the general mailing list