[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Sat Jan 20 00:52:15 UTC 2007

Bob,
Once again I agree with you - the terminology was not the best chosen -
thus the quotes - as I couldn't think of anything more appropriate at
the time.

I really have no predefined format that I would like to see the
anti-phishing document in.
A technical document for OP's - with sample code  / some "best
-practices" etc  could well serve to alleviate my concerns.

And I'll be a little lazy and answer reply to Gabe's email too:

And let me suffix my recent posts with:
I am not trying to "shoot-down" OpenId in anyway. I think it is a great
technology and really want to see it become a ubiquitous protocol.

My comments aren't really from me - in so far as I am playing "man in
the middle / devil's advocate" for some queries being sent my way from
other academics I have been discussing OpenId with, here in the
university. They're telling me - they don't like it because of what they
see as "the phishing issue with OpenId's mechanics"

So a defence if you like -  to them  -  and anyone else that just
simply disregard OpenId based on this issue alone, it would be nice to
have an appropriate document that co-exists with the 2.0 specification
that addresses their concerns. - but I strongly believe the "other"
document needs to be available at the time of the release of the spec.

As far as the creation of the document goes -  well I am not
technically skilled (with OpenId) to "write" such a document but
certainly volunteer my time to proof read it - with regards to "Can an
idiot read it and understand it. Is the language good / clear etc" - in
fact I can certainly volunteer secretarial duties to all aspects of
OpenId. As technical lead for my group - it is well within my position
description / requirements to investigate / contribute to such efforts
that may be of use to the group..

And since the people I am discussing it with are in a position to
influence others  - I thought it a good idea to try and influence those
- that influence others!

=gavin.baumanis

>>> On Saturday, January 20, 2007 at 11:21, in message
<45be5cd40701191621w27f00559j34b3d84225dfa2ee at mail.gmail.com>, "Bob
Wyman" <bob at wyman.us> wrote:
On 1/19/07, Gavin Baumanis <gavin.baumanis at rmit.edu.au> wrote:
> I don't necessarily disagree with you. 
Great!
> the 2.0 spec should not be released without the appendix document
I think we might be making a mistake by thinking of it as an
"appendix." The sense I get is that a good bit of the anti-phishing
support that would be useful is actually independent of OpenID and thus
would be useful to specify as such. 

bob wyman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070120/ecd5ccde/attachment-0002.htm>