Proposal: An anti-phishing compromise
Claus Färber
GMANE at faerber.muc.de
Fri Feb 2 13:01:00 UTC 2007
Recordon, David <drecordon at verisign.com> schrieb/wrote:
> Add a single, required, boolean field to the authentication response
> that specifies whether or not the method the OP used to authenticate
> the user is phishable. The specification will have to provide
> guidelines on what properties an authentication mechanism needs to
> have in order to be "non-phishable." The field is just meant to
> indicate that the authentication mechanism that was used is not a
> standard "secret entered into a Web form."
What should the RP do with that flag? If they lock out users who are
"phishable", OP will simply start to lie about their "non-fishability".
The main problem, however, is that it actually adds to the phishing
problem by providing rouge RPs valueable information about security
risks.
Claus
More information about the specs
mailing list