Proposal: An anti-phishing compromise

Johnny Bufu johnny at sxip.com
Fri Feb 2 19:51:28 UTC 2007


On 2-Feb-07, at 11:22 AM, john kemp wrote:

> Johnny Bufu wrote:
>>
>> On 2-Feb-07, at 7:05 AM, George Fletcher wrote:
>>> but I'm still not sure how this helps with the phishing problem.  As
>>> you pointed out John, the issue is a rogue RP redirecting to a rogue
>>> OP.  So the rogue OP just steals the credentials and returns  
>>> whatever
>>> it wants.
>>
>> In this case, the rogue RP is not interested at in the the auth  
>> response
>> from the rogue OP (or for that matter from the legitimate OP);  
>> just in
>> stealing the  user's credentials.
>>
>> The phishing field prevents the phisher to later use these  
>> credentials
>> on a legitimate RP (which will be contacting the legitimate OP) to
>> impersonate the user -- if the RP enforces "phishable = no".
>
> I guess I'm confused by the above.
>
> If the OP has stolen the user's credentials, it can just say  
> "phishable
> = no" and pass its assertion regarding those credentials to the RP.

And the RP (being now a legitimate one), will perform verification on  
the assertion and will fail as it is not coming from the legitimate /  
authoritative OP.

> This is about a rogue OP, and the relationship between the OP and  
> the user,
> not really about the relationship between the OP and RP (although  
> if the
> RP knew whether or not it could trust the OP by some out-of-band  
> means,
> it would simply not accept an assertion from the OP unless that trust
> was established).

The RP only trusts that the user has chosen an OP to suit their  
needs, and OpenID lets the RP make sure the assertions are coming  
from the legitimate / authoritative OP the user has chosen.

> You might use a rogue RP to start the attack, but the attack is  
> actually
> performed by the rogue OP, not the rogue RP.

Since the "rogue OP" is not authoritative for the phished user at any  
other RP, I rather see it as an extension of the rogue RP; it's  
basically the rogue RP that's proxying the output from the legitimate  
OP, so in a sense there's no real "rogue OP".


Johnny



More information about the specs mailing list