<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Comic Sans MS; COLOR: #000000">
<DIV>Scott - and everyone else on the list....</DIV>
<DIV> </DIV>
<DIV>My query is at your comment (Scott) of <BR></DIV>
<DIV>>>Ben: since its clearly not an issue for the spec, do you have any<BR>>>suggestions on how to combat phishing for OpenID's?</DIV>
<DIV> </DIV>
<DIV>Firstly - I don't have an answer - I don't even have a vague suggestion...</DIV>
<DIV>I completely understand that it is not an OpenId issue. - it effects all www traffic.</DIV>
<DIV> </DIV>
<DIV>Now for the possibility of completely embarrassing myself - due to lack of knowledge;</DIV>
<DIV> </DIV>
<DIV>How can it be considered out of spec for OpenId, if the mechanics of OpenId authentication seem to assist phishing?</DIV>
<DIV>I clearly see it being something that can hold up the official release of OpenId 2.0 for a pretty lengthy time - and I realise nobody wants that to happen. </DIV>
<DIV> </DIV>
<DIV>I take onboard the thoughts of others on the list of not getting bogged down in attribute exchange etc, to the detriment of the 2.0 spec. that those things should be treated separately and the spec should get the "final release" that everyone wants.</DIV>
<DIV> </DIV>
<DIV>It just seems a little naive / slack, even, to take the attitude that since phishing is such a big issue and since OpenId isn't the only technology effected by it - then we shouldn't get involved in it. - Now, I realise that no one is suggesting that either.... but I think not addressing it in the spec - considering OpenID "almost" lends itself to a phishing attack is not a wise decision either.</DIV>
<DIV> </DIV>
<DIV>I could be completely wrong - and would truly appreciate to be pointed in the right direction - if I have it wrong.</DIV>
<DIV> </DIV>
<DIV>=gavin.baumanis</DIV>
<DIV> </DIV>
<DIV><BR>>>> On Saturday, January 20, 2007 at 04:30, in message <C1D6404B.27172%scott@janrain.com>, Scott Kveton <scott@janrain.com> wrote:<BR></DIV>
<DIV style="PADDING-LEFT: 7px; MARGIN: 0px 0px 0px 15px; BORDER-LEFT: #050505 1px solid; BACKGROUND-COLOR: #f3f3f3">>> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.<BR>>> but surely some attention should be given to mitigating the issue?<BR>> <BR>> Exactly. I wouldn't expect OpenID to _solve_ phishing all on its<BR>> lonesome, but making it worse really does strike me as a serious<BR>> problem - and one that should cause all security people to recommend<BR>> avoiding it like the plague. We should be progressing on phishing, not<BR>> regressing.<BR><BR>I think the suggestions on this list are a great start and I'm sure we'll<BR>see folks starting to implement them soon.<BR><BR>Ben: since its clearly not an issue for the spec, do you have any<BR>suggestions on how to combat phishing for OpenID's?<BR><BR>> OTOH, I think this religious attitude that says browser plugins are to<BR>> be avoided at all costs is wrong-heade!
d. Browser authentication is<BR>> broken. Someone has to apply pressure that'll fix that situation!<BR><BR>Even browser extensions can be phished. What about extensions that do bad<BR>things to other extensions? Trojan extensions?<BR><BR>I think there has to be some smarts built into the browser that can't be<BR>affected by installed extensions to really solve this problem. I'm excited<BR>to see Mozilla engaged in this discussion already (thanks Mike for the links<BR>this morning).<BR><BR>- Scott<BR><BR>_______________________________________________<BR>general mailing list<BR>general@openid.net<BR><A href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A><BR></DIV></BODY></HTML>