[OpenID] OpenID and phishing

Johnny Bufu johnny at sxip.com
Sat Jan 20 22:42:15 UTC 2007

>> On 1/20/07 8:27 AM, "Marcin Jagodziński"  
>> <marcin.jagodzinski at gmail.com>
>> wrote:
>>> "OP MUST contain [...] markup which can be read by UA to distinguish
>>> it from other login pages"
>>> but
>>> "UA MAY use it to present some special GUI and take other steps to
>>> prevent phishing" (or maybe SHOULD).

> On 1/20/07, Scott Kveton <scott at janrain.com> wrote:
>> I'd be curious to hear the thoughts of the spec editors on this  
>> suggestion
>> ... I think its a nice middle ground ... Doesn't require us  
>> changing the
>> Internet, would work nicely with the other suggestions and could  
>> get us
>> headed in the right direction quickly.

On 20-Jan-07, at 12:21 PM, Chris Messina wrote:
> I'm confused on this idea, I think... What happens if someone
> *doesn't* comply with this? Will the protocol break? Will login fail?

Exactly! As much as I would like to have these as MUSTs in the real  
world, I don't see a way to put them in the spec as requirements.

Having a MUST implies that, if it is not complied with, the party at  
the other end of the transaction MUST fail. And therein lies the  
problem: OP - end user authentication is out of scope of the OpenID  
spec. If it weren't, an OpenID-speaking entity would be needed on the  
user side during that transaction.

no-password.com can be a compliant OP, if it (and its users) choose  
to not care about security at this stage.

So the only way to tie the OP - end user authentication with the spec  
is with security recommendations for the OPs that *are* concerned  
with security. And this part is currently mentioned in the spec, by  
acknowledging the attack and pointing out that a secure channel  
between the OP and the user is needed to prevent it.

Of course, the problem remains if no-password.com markets itself as  
super-secure-op.com, fools users into using it, and later on the  
users want to use these identities to login to their banks.

So the issue (as I see it) is making the users aware that, if online  
identity is important to them, the trust associated with the  
relationship they have with their identity "keepers" - the OPs -  
should be similar to the trust they have in their banks for keeping  
their money.


More information about the general mailing list