[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Mon Jan 22 23:40:06 UTC 2007

>> Let's all not forget that the best part about OpenID 2.0 is that there will
>> be an OpenID 2.1, 3.0 ... Maybe even XP, Vista or 2008 (I kid).  Putting a
>> requirement like the above on OpenID 2.0 will halt adoption ... We can't
>> demand that browsers and other user agents change before we move forward
>> IMHO.
> Open ID cannot mandate phishing protection, since that requires UA
> upgrades.  It can *enable* phishing protection for suitable UAs, and
> also provide best practice sample code for OPs

Absolutely ... And I've always said this is a great option for users ... My
point is that _mandating_ or _requiring_ some client code in the near term
is unacceptable for the majority of use cases today.  If support exists on
the UA, great.  We'll be sure to point our users at something like that when
it becomes available.

- Scott

More information about the general mailing list