[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
Simon Willison
simon at simonwillison.net
Fri Jan 19 16:07:24 UTC 2007
On 19 Jan 2007, at 15:55, Mike Beltzner wrote:
> At this juncture I feel that I should mention that I don't think
> "fixing phishing" should be a goal of OpenID. Improving things, and
> certainly not regressing is a must. But ensuring a perfect system
> might needlessly deadlock us.
I totally agree, but my worry is that fear of phishing will stunt
deployment of OpenID. Fighting phishing should be the concern of the
identity providers - delegation makes for a very low cost of
switching, so the more competition between providers in the area of
security the better. The OpenID community as a whole needs to be seen
to be taking phishing seriously (even if it's not in the core
specification) and the more evidence there is that identity providers
are tackling the problem the better.
Cheers,
Simon
More information about the general
mailing list