[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

James A. Donald jamesd at echeque.com
Sat Jan 20 00:21:59 UTC 2007

Simon Willison wrote:
 > my worry is that fear of phishing will stunt
 > deployment of OpenID. Fighting phishing should be the
 > concern of the identity providers - delegation makes
 > for a very low cost of switching, so the more
 > competition between providers in the area of security
 > the better. The OpenID community as a whole needs to
 > be seen to be taking phishing seriously (even if it's
 > not in the core specification) and the more evidence
 > there is that identity providers are tackling the
 > problem the better.

An appropriate place to address phishing is in sample
and example code for OPs

Another relevant place is in client side software, for
example the unimplemented Passpet, which should support
OpenID, among other things.

More information about the general mailing list