[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Mon Nov 3 08:24:45 UTC 2008
On Mon, Nov 3, 2008 at 12:11 AM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/02/2008 09:17 PM, Ben Laurie:
>
> On Sun, Nov 2, 2008 at 5:13 PM, Joseph A Holsten
> <joseph at josephholsten.com> wrote:
>
>
> Has anyone specifically focused on the issues of phishing and
> accessibility? I know the default reader for mac 10.4 doesn't even
> try to say the url when it changes. Academic literature on the
> subject seems scarce. [1] Is phishing resistance outside the scope of
> OAuth and OpenID accessability?
>
>
> Well, its in scope of something. The PAPE extension allows OPs to
> claim phishing resistance, for example. But wouldn't it be nice if
> browsers just automatically supported a phishing resistant password
> scheme?
>
>
> You mean something like client certificate authentication?
Not really - you still have to issue the client cert somehow. In
practice, this pretty much always involves the user proving knowledge
of some secret. It is that secret that I would like to protect in
transit.
>
>
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> Jabber: startcom at startcom.org
> Blog: Join the Revolution!
> Phone: +1.213.341.0390
>
>
More information about the general
mailing list