[OpenID] Negotiating a backup OP from the current OP
Anders Feder
lists.anders at feder.dk
Mon Jun 30 08:29:40 UTC 2008
man, 30 06 2008 kl. 00:35 -0700, skrev SitG Admin:
> If the RP says "We need to do it this way." and the OP says "I have
> this independent OP which meets your needs.", can the RP afford to
> change its mind?
+1. This is a good point. I think this protocol makes for a very
balanced and transparent negotiation.
Let's say the user has an OP that will expose any phishing attempts. The
user attempt to log in to a phishers website. Now if the user is to say
"here, I have this OP, does it meet your requirements?", the phisher
will obviously just respond "no, I don't think its secure enough",
cancel the login and its phishing activities go by undetected.
But if the user can say "here, I have this phishing-resistant OP and I
know it meets your specified minimum requirements, lets go" the RP is
forced to either cancel the login, which will look odd and possibly ring
the alarm bells, or use the secure OP which will expose the phishing
attempt.
--
Anders Feder <lists.anders at feder.dk>
More information about the general
mailing list