[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Ben Laurie benl at google.com
Sat Jan 20 15:12:27 UTC 2007

On 1/19/07, Hans Granqvist <hgranqvist at verisign.com> wrote:
> Ben Laurie wrote:
> > ...
> > I do not agree that its not an issue for the spec. As it stands, the
> > spec completely washes its hands of this issue, and I don't think
> > that's acceptable.
> >
> What I don't get is why everyone seemed to not care when
> we were discussing "OpenID security profiles" a few months
> ago.
> I whined a bit about that here:
> http://commented.org/blog/2007/1/19/openid-and-phishing.html

Could it be because the security profiles are between the RP and the
OP, and so don't address the problem of phishing one iota?

More information about the general mailing list