[OpenID] OpenID and phishing

James A. Donald jamesd at echeque.com
Mon Jan 22 19:16:40 UTC 2007

Chris Messina wrote:
 > Well, given your example of the image tag, for one
 > thing, delivery of the page's data and its subsequent
 > rendering don't fail if an alt attribute is missing
 > even if the spec demands it... Now, take the more
 > crucial example of OpenID and suggesting that folks
 > *must* use non-critical markup "merely" to help
 > prevent abuse that is prevalent today and you're
 > starting to stray outside the focus of the spec.
 > Furthermore, XHTML, as has been pointed out, may not
 > be the only interface by which someone logs into their
 > account: consider Flash logins, XAML, Apollo and the
 > like... languages and binaries that are not
 > necessarily easy to solicit such "identifying marks"
 > from.
 > And lastly, what should the UA do in the case of a
 > login form that self-identifies as you suggest, but is
 > not at all what it claims to be? Can or should the UA
 > be able to disambiguate a real from a fake? Or to
 > somehow know when the markup you're suggesting is
 > being used correctly?

To resist phishing, the UA should

1.  Know who you have a login relationship with - thus
the UA is a password manager/signon tool, for example
passpet. To help it recognize familiar pages, the tool
needs to support digital authentication, and needs to
provide this information to the user, for example the
petname toolbar, which does what PKI fails to do.

2.  Support SRP logins, so that there is nothing to

3.  Enable communications initiated from URLs where you
have a relationship, and by default generate data
representing such a relationship where you login - an IM
like, white list based, interface for receiving

You may well say that all this is massively off topic
for OpenID, and it is, but the primary competitor of
OpenID is an implementation of point one.

          James A. Donald

More information about the general mailing list