[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 09:32:09 UTC 2007

I think that whole login process for OP should have very different UI
than "normal login". The question is: how to distinguish between OP
login and other logins.

This IS a specification issue.

I think that we should include in spec requirement which says that OP
has to inform UA that "this is OpenID OP" (using perhaps <meta>
element in HTML). The UA CAN change its UI when it's informed that the
page claims to be OP.

This will raise the awareness of user and launch other procedures like
white/black list checking, checking if user is first time on that page
and so on.

How will UA reflect the fact that user is browsing site which claims
to be OP: this is up to
UA implementation.

But I strongly feel that OP should inform the UA about being an OP and
this should be part of OpenID spec.



More information about the general mailing list