[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Sat Jan 20 20:21:23 UTC 2007

I'm confused on this idea, I think... What happens if someone
*doesn't* comply with this? Will the protocol break? Will login fail?

Chris

On 1/20/07, Scott Kveton <scott at janrain.com> wrote:
> I'd be curious to hear the thoughts of the spec editors on this suggestion
> ... I think its a nice middle ground ... Doesn't require us changing the
> Internet, would work nicely with the other suggestions and could get us
> headed in the right direction quickly.
>
> - Scott
>
>
> On 1/20/07 8:27 AM, "Marcin Jagodziński" <marcin.jagodzinski at gmail.com>
> wrote:
>
> > Scott,
> >
> > there are two sides: OP / UA. In my opinion it would be good, if we write
> that
> >
> > "OP MUST contain [...] markup which can be read by UA to distinguish
> > it from other login pages"
> >
> > but
> >
> > "UA MAY use it to present some special GUI and take other steps to
> > prevent phishing" (or maybe SHOULD).
> >
> > The first sentence is easy to implement (and this markup can be also
> > used by RP to check if it's OP or some "other" page, maybe it should
> > not be inline markup but separate file?)
> >
> > It won't slow down the rate of adoption, it's only mandatory from OP
> > side. Maybe the last sentence should contain "MAY" in 2.0 and "SHOULD"
> > in 2.1. We don't have to wait for UA-makers to make changes, but we
> > MUST give them a chance.
> >
> > Writing a plugin that check every page ("maybe this is a login form so
> > we should warn the user...") and warning users ("hello, you're
> > submitting something which looks like login / password, is it your
> > identity provider page?") is not efficient. There's a warning about
> > summiting a form already built-in in browsers. With very useful option
> > "[ ] Don't show it again". I almost forgot about this "security
> > measure" :)
> >
> > And in my opinion this is the one and only place where "phishing"
> > should be mentioned in specification.
> >
> > regards,
> >
> > Marcin
> >
> >> I know Dick floated the idea of having a bit of markup that can be
> detected
> >> by the UA to initiate some UI change to make it clear that the user is
> >> logging into their OP.  I like the idea as long as its not a MUST.  The
> >> reason I don't like the MUST is that I'm afraid that getting support for
> it
> >> in every UA (phones, browsers, etc) will take time and stunt adoption of
> >> OpenID.
> >>
> >>> How will UA reflect the fact that user is browsing site which claims
> >>> to be OP: this is up to
> >>> UA implementation.
> >>>
> >>> But I strongly feel that OP should inform the UA about being an OP and
> >>> this should be part of OpenID spec.
> >>
> >> Let's all not forget that the best part about OpenID 2.0 is that there
> will
> >> be an OpenID 2.1, 3.0 ... Maybe even XP, Vista or 2008 (I kid).  Putting
> a
> >> requirement like the above on OpenID 2.0 will halt adoption ... We can't
> >> demand that browsers and other user agents change before we move forward
> >> IMHO.
> >
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

-- 
Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private