[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Ka-Ping Yee openid at zesty.ca
Sat Jan 20 10:18:43 UTC 2007

On Sat, 20 Jan 2007, James A. Donald wrote:
> Short answer.  Passpet.  Longer answer, passpet plus SRP.

I'm glad you like the UI ideas in Passpet.

> SRP is the final solution to phishing for shared secrets.

It's a fairly final solution to phishing for *passwords*.
Unfortunately, phishing is a broader problem than that.
If I can fool you into thinking that my site is your bank,
I can still ask you for all sorts of personal information,
regardless of what login protocol your bank uses.

Phishing is an identification problem ("which site am i at?")

SRP solves *login*.  It doesn't solve identification -- no
protocol can, because identification is a UI problem.

Passpet (mainly) attacks the UI problem (it also tries to
improve the situation on the login front, but there's a
limit to how much you can improve that while remaining
compatible with today's username-and-password sites.)

-- ?!ng

More information about the general mailing list