[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
pbaker at verisign.com
Mon Jan 22 15:06:30 UTC 2007
> [mailto:specs-bounces at openid.net] On Behalf Of Ben Laurie
> More importantly, I think I have a solution that will make
> both of us happy, but I now have to go and ride my motorbike
> fast, so I'll detail it later.
Now there is an exit line to tempt the Gods.
The only way that I can see that you are going to circumvent an attempt using existing browser capabilities is to introduce a malicious login page is through use of some form of shared secret such as a picture of a cuddly animal chosen by the user or Secure Letterhead.
Letterhead requires a browser upgrade so it breaks the 'existing capabilities' constraint.
If you change the browser you might as well really change the browser and use a strong authentication mechanism based on PKI
I think we need to take another look at the 'change the browser' case and make sure that we can take full advantage if the browser is changed.
More information about the general