[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 22:55:48 UTC 2007

On 19-Jan-07, at 1:52 PM, Scott Kveton wrote:

>> Regarding anti-phishing & IE - isn't that one of the main design  
>> goals of
>> Cardspace?
>> Scenario: Login to your OP with Cardspace and not worry about  
>> phishing?
>> My only point here is that I think the IE people probably think  
>> they *have*
>> a solution, which may or may not be appealing to people here.
> I'd hate to assume something like that without asking.  I would  
> think as a
> browser vendor you'd want to support multiple "standards" ... The  
> browser is
> a platform, not a channel to your specific technology.  My point is,
> shouldn't we at least ask?  Which leads me back to, does anybody  
> know anyone
> on the IE development team?

I have some contacts with folks like Rob Franco and Kelvin Yiu.  
They're pretty approachable.

> It should be noted that in addition to the Firefox 3.0 requirements
> including OpenID, they also listed CardSpace.  The two aren't mutually
> exclusive IMHO.

Obviously, I agree. :)

It would actually be useful to categorize the user problems and  
security risks/problems, and draw up a chart illustrating how the  
various specifications out there are trying to address those  
problems. I keep feeling like OpenID and Cardspace are tackling  
slightly different problems - at the risk of horrendously offending  
people on this list (which isn't my intent, so please read what I'm  
about to write with an open mind and heart!) ..:

  * OpenID seems to be more focused on SSO, though the extensions  
allow for more
  * CardSpace seems to be about simplifying and securing the  
transmission of personal information


More information about the general mailing list