Proposal: An anti-phishing compromise

Dick Hardt dick at sxip.com
Fri Feb 9 08:16:38 UTC 2007


I chatted with Avery about this today.

URIs for specific auth methods as well as ones for general seems to  
be the flexible approach.

Per Kim's laws, the method of auth may not be needed, so is extra  
disclosure


On 8-Feb-07, at 11:38 PM, Recordon, David wrote:

> Maybe laws are meant to be broken.  I don't see why a RP knowing  
> that I
> used a token as a second factor is a bad thing.  If nothing else, the
> technology should support the OP providing that information and the  
> OP's
> implementation can let me as the user decide if I want to.  Just like
> the trust request, it isn't mandated by the spec but every  
> worthwhile OP
> does it.
>
> My $0.02.
>
> --David
>
> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> Behalf Of Dick Hardt
> Sent: Sunday, February 04, 2007 11:42 PM
> To: Granqvist, Hans
> Cc: OpenID specs list
> Subject: Re: Proposal: An anti-phishing compromise
>
>
> On 1-Feb-07, at 2:36 PM, Granqvist, Hans wrote:
>>> Add a single, required, boolean field to the authentication response
>>> that specifies whether or not the method the OP used to authenticate
>>> the user is phishable. The specification will have to provide
>>> guidelines on what properties an authentication mechanism needs to
>>> have in order to be "non-phishable." The field is just meant to
>>> indicate that the authentication mechanism that was used is not a
>>> standard "secret entered into a Web form."
>>
>> The receiver should decide what is 'non-phishable', not the  
>> sender, so
>
>> it would be better if the OP just states what mechanism was used,
>> perhaps.
>
> Per Kim's laws, how I authenticate to my OP is none of the RP's
> business.
> That I authenticated in a phishing resistant manner is.
>
> ie. we want the OP to make the statement that it followed certain
> anti-phishing guidelines.
>
> There is no certainty that the OP followed them, but the RP and user
> have recourse against an OP if the OP stated that it did follow the
> anti-phishing guidelines.
>
> -- Dick
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>




More information about the specs mailing list