[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Tue Nov 4 16:07:11 UTC 2008
On Tue, Nov 4, 2008 at 3:52 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/04/2008 03:41 PM, Ben Laurie:
>
> No, email validation hardly says anything about you - it only proves control
> over the email account, but not that you are Ben Laurie nor that you are a
> Google employee. One might assume, that if you've got a google.com email
> address, then well, you might be an employee at Google. But it's somewhat
> vague...
>
>
> Well, make your mind up - it was you that brought up email validation
> in the first place.
>
>
> Did I? I don't think so :-)
http://openid.net/pipermail/general/2008-November/006352.html
> The thread started about anti-phishing measures IIRC. It was here where I
> jumped in: http://openid.net/pipermail/general/2008-November/006322.html ,
> specially your statement: "But wouldn't it be nice if browsers just
> automatically supported a phishing resistant password scheme?"
>
> I answered with: "You mean something like client certificate
> authentication?"
>
> There is nothing about email validation in my response...client certificates
> can also be email validated if they are used for S/MIME, they don't have to
> - authentication alone is sufficient. Neither does an OP have to validate
> the email address (He can optionally do so of course, but that's not the
> issue we were talking about, it was about phishing resistance).
>
> Reminds me about some Google employee contacting me the other day with some
> inquiry or job offer ...and I thought it was a phishing attempt. The email
> wasn't signed nor any other indication which would let me clearly know, that
> this is somebody really working at Google. :S
>
>
> What would they sign it with, or indicate with, that would convince you?
>
>
>
> Validated S/MIME certificate.
Validated how?
> I really didn't except to receive from a Google employee an email inquiry without proper identification - neither
> from other high-profile brand companies out there. Instead I called the guy
> by phone to validate that indeed he sent a mail and is an employee of Google
> (using some other sources on my behalf). But under usual circumstances I'd
> discharge the mail as spam and phish without thinking twice....something to
> take up to your management perhaps ;-)
>
>
More information about the general
mailing list