[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Gabe Wachob gabe.wachob at amsoft.net
Sat Jan 20 00:26:47 UTC 2007

Phishing (and pharming) is only an issue for *some* ways of authenticating
to an OP. 


The practical issue today is that most OP's have no better way of
authenticating a user than phishable username/password login screens.
However, OpenID (the protocol) is intended to support (practically) any form
of authentication that an OP chooses to use. It is entirely possible to use,
for example, token-based authentication that isn't susceptible to the same
phishing attacks. 


My hope was that OpenID as a protocol would get launched in parallel with
innovation in authentication mechanisms - including (of course)
anti-phishing mechanisms for sites using plain old username/password. 


I would hate for OpenID to be shot down in whole because of the special
exposure it has to phishing in the simple deployment scenario which
dominates today. I just want to make sure we don't forget that enabling
authentication innovation is a key driver for OpenID, at least for some of






From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Bob Wyman
Sent: Friday, January 19, 2007 4:06 PM
To: Gavin Baumanis
Cc: openid-general
Subject: Re: [OpenID] OpenID and phishing (was
AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)


On 1/19/07, Gavin Baumanis <gavin.baumanis at rmit.edu.au> wrote:

> I think not addressing [Phishing] in the spec ... is not a wise

I keep gettting the sense that somehow people seem to think that "not
addressing phishing in the spec" is the same as "not addressing phishing."
But, phishing can certainly be addressed in a distinct document and the two
documents can then be linked together. By having two related documents, we
can "address phishing" without addressing it in the spec. Actually, I think
doing it that way would make a great deal of sense -- It's a standard
separation of concerns. 

bob wyman


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070119/d349aff9/attachment-0002.htm>

More information about the general mailing list