[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Tue Nov 4 15:52:12 UTC 2008 

On 11/04/2008 03:41 PM, Ben Laurie:
>> No, email validation hardly says anything about you - it only proves control
>> over the email account, but not that you are Ben Laurie nor that you are a
>> Google employee. One might assume, that if you've got a google.com email
>> address, then well, you might be an employee at Google. But it's somewhat
>> vague...
>>      
>
> Well, make your mind up - it was you that brought up email validation
> in the first place.
>    

Did I? I don't think so :-)

The thread started about anti-phishing measures IIRC. It was here where 
I jumped in: 
http://openid.net/pipermail/general/2008-November/006322.html , 
specially your statement:  "But wouldn't it be nice if browsers just 
automatically supported a phishing resistant password scheme?"

I answered with: "You mean something like client certificate 
authentication?"

There is nothing about email validation in my response...client 
certificates can also be email validated if they are used for S/MIME, 
they don't have to - authentication alone is sufficient. Neither does an 
OP have to validate the email address (He can optionally do so of 
course, but that's not the issue we were talking about, it was about 
phishing resistance).

>> Reminds me about some Google employee contacting me the other day with some
>> inquiry or job offer ...and I thought it was a phishing attempt. The email
>> wasn't signed nor any other indication which would let me clearly know, that
>> this is somebody really working at Google. :S
>>      
>
> What would they sign it with, or indicate with, that would convince you?
>
>    
Validated S/MIME certificate. I really didn't except to receive from a 
Google employee an email inquiry without proper identification - neither 
from other high-profile brand companies out there. Instead I called the 
guy by phone to validate that indeed he sent a mail and is an employee 
of Google (using some other sources on my behalf). But under usual 
circumstances I'd discharge the mail as spam and phish without thinking 
twice....something to take up to your management perhaps ;-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/738304d1/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081104/738304d1/attachment-0002.bin>

More information about the general mailing list