[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Simon Willison simon at simonwillison.net
Fri Jan 19 16:07:24 UTC 2007


On 19 Jan 2007, at 15:55, Mike Beltzner wrote:

> At this juncture I feel that I should mention that I don't think  
> "fixing phishing" should be a goal of OpenID. Improving things, and  
> certainly not regressing is a must. But ensuring a perfect system  
> might needlessly deadlock us.

I totally agree, but my worry is that fear of phishing will stunt  
deployment of OpenID. Fighting phishing should be the concern of the  
identity providers - delegation makes for a very low cost of  
switching, so the more competition between providers in the area of  
security the better. The OpenID community as a whole needs to be seen  
to be taking phishing seriously (even if it's not in the core  
specification) and the more evidence there is that identity providers  
are tackling the problem the better.

Cheers,

Simon



More information about the general mailing list