[OpenID] phishing

Jon Mills josudesign at gmail.com
Sat Jan 20 20:52:26 UTC 2007

>I agree with you that it's not a protocol spec's job to dictate the UI.
>It *is* the spec's job to clearly warn implementors that OpenID increases
phishing risk for the standard login UI -- used by most current OpenID
>providers and demonstrated in practically every explanation of OpenID --
and that they are responsible for taking measures to prevent it.

> I feel that it's impossible for us to mandate or legislate matters 
> that we don't fully understand, don't have the influence to enforce

The problem I see in the future is OpenID getting an insecure description to
go along with it. How is it possible to move this into the future of
ecommerce and the internet as a whole, but allow the spec authors to relay
the specs insecurities? I see phishing as a "go, no-go" problem when it
comes to any implementation past general forum commenting. I urge everyone
to think of constructive ways to relay the possible insecurities associated
with OpenID in the best manner possible, maybe a "best practices"
documentation for different types of implementations (forums, ecommerce,
blogs). I don't think it is the time for bold warnings. The spec is in its
infancy, I wouldn't want to ruin the possible future implementations of it
by giving it a bad name.

-Jon Mills

More information about the general mailing list