[OpenID] OpenID and phishing (wasAnnouncing OpenIDAuthentication 2.0 - Implementor's Draft 11)
gavin.baumanis at rmit.edu.au
Sat Jan 20 05:52:25 UTC 2007
Hi Scott - firstly, thanks for the considerable reply.
>>> On Saturday, January 20, 2007 at 15:50, in message
<C1D6DF84.27293%scott at janrain.com>, Scott Kveton <scott at janrain.com>
>> Firstly - I don't have an answer - I don't even have a vague
>> I completely understand that it is not an OpenId issue. - it effects
> Therein lies the biggest problem.
I completely agree - and again don't pretend or a second to have the
answer. And with all the knowledge / experiences that exist within the
list - I think it just goes to show how complex the problem is - that
there still isn't a "definitive" answer.
>> How can it be considered out of spec for OpenId, if the mechanics of
>> authentication seem to assist phishing?
>> I clearly see it being something that can hold up the official
>> OpenId 2.0 for a pretty lengthy time - and I realise nobody wants
> Phishing is a _huge_ problem ... By huge I don't mean its happening
> the place, I mean its an the-Internet-Sucks problem. That alone is
> enough to leave it as out-of-scope for OpenID. In addition to that
> others have mentioned this here, I'm merely repeating), auth via a
> just one way of doing OpenID authentication. Two factor, FOP, etc
> options here so putting "phishing for via a form" into the spec is
> out-of-scope for this document.
> Now, let's be realistic. The majority of users (at least in the near
> will be using a forms via redirects for logins. The ideas here on
> are all great and I think putting them all together gives us quite a
> reasonable defense against phishing. Moreover, the better the
> technologies get for OpenID, the better they get for the Internet.
> honestly believe that this is a huge opportunity for OpenID ... If we
> get it right then that can be a significant driver for OpenID. After
> then you'd only have to worry about your identity provider having the
> technologies to protect you, not every site that you go to.
I do follow and understand your point of view as to why you think it is
out of spec for the OpenId Protocol.
I agree with you.
I have invited my colleagues to join the list and get involved. I still
hope to persuade them.
> I like the idea of having a separate specification or appendix on how
> deal with phishing. I also think the finer points of this discussion
> end up in the FAQ; everyone keeps rehashing the same arguments and it
> be nice to be able to just point at a FAQ.
Well I certainly think it is a great idea - and certainly agree with
the idea of using the wiki appropriately and creating an "authorative"
FAQ. / technical document repository etc.
More information about the general