[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Sat Jan 20 19:26:38 UTC 2007

I'd be curious to hear the thoughts of the spec editors on this suggestion
... I think its a nice middle ground ... Doesn't require us changing the
Internet, would work nicely with the other suggestions and could get us
headed in the right direction quickly.

- Scott

On 1/20/07 8:27 AM, "Marcin Jagodziński" <marcin.jagodzinski at gmail.com>

> Scott,
> there are two sides: OP / UA. In my opinion it would be good, if we write that
> "OP MUST contain [...] markup which can be read by UA to distinguish
> it from other login pages"
> but
> "UA MAY use it to present some special GUI and take other steps to
> prevent phishing" (or maybe SHOULD).
> The first sentence is easy to implement (and this markup can be also
> used by RP to check if it's OP or some "other" page, maybe it should
> not be inline markup but separate file?)
> It won't slow down the rate of adoption, it's only mandatory from OP
> side. Maybe the last sentence should contain "MAY" in 2.0 and "SHOULD"
> in 2.1. We don't have to wait for UA-makers to make changes, but we
> MUST give them a chance.
> Writing a plugin that check every page ("maybe this is a login form so
> we should warn the user...") and warning users ("hello, you're
> submitting something which looks like login / password, is it your
> identity provider page?") is not efficient. There's a warning about
> summiting a form already built-in in browsers. With very useful option
> "[ ] Don't show it again". I almost forgot about this "security
> measure" :)
> And in my opinion this is the one and only place where "phishing"
> should be mentioned in specification.
> regards,
> Marcin
>> I know Dick floated the idea of having a bit of markup that can be detected
>> by the UA to initiate some UI change to make it clear that the user is
>> logging into their OP.  I like the idea as long as its not a MUST.  The
>> reason I don't like the MUST is that I'm afraid that getting support for it
>> in every UA (phones, browsers, etc) will take time and stunt adoption of
>> OpenID.
>>> How will UA reflect the fact that user is browsing site which claims
>>> to be OP: this is up to
>>> UA implementation.
>>> But I strongly feel that OP should inform the UA about being an OP and
>>> this should be part of OpenID spec.
>> Let's all not forget that the best part about OpenID 2.0 is that there will
>> be an OpenID 2.1, 3.0 ... Maybe even XP, Vista or 2008 (I kid).  Putting a
>> requirement like the above on OpenID 2.0 will halt adoption ... We can't
>> demand that browsers and other user agents change before we move forward
>> IMHO.

More information about the general mailing list