Proposal: An anti-phishing compromise
Johnny Bufu
johnny at sxip.com
Fri Feb 2 17:41:32 UTC 2007
On 2-Feb-07, at 7:05 AM, George Fletcher wrote:
> but I'm still not sure how this helps with the phishing problem.
> As you pointed out John, the issue is a rogue RP redirecting to a
> rogue OP. So the rogue OP just steals the credentials and returns
> whatever it wants.
In this case, the rogue RP is not interested at in the the auth
response from the rogue OP (or for that matter from the legitimate
OP); just in stealing the user's credentials.
The phishing field prevents the phisher to later use these
credentials on a legitimate RP (which will be contacting the
legitimate OP) to impersonate the user -- if the RP enforces
"phishable = no".
Johnny
More information about the specs
mailing list