[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Tue Nov 4 19:07:05 UTC 2008
On Tue, Nov 4, 2008 at 6:31 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/04/2008 06:07 PM, Ben Laurie:
>
> http://openid.net/pipermail/general/2008-November/006352.html
>
>
> If you read what I wrote there, you'd understand that it wasn't about email
> validation at all, but about phishing resistance. It was the point from the
> beginning:
>
> "The only exchange is really the public key submitted to the CA and the
> issuance of the certificate. There is no need to exchange any other
> information, none of it is a secret either."
I agree that client certificates are obviously phishing resistant, and
have never disagreed, and I am happy to treat the rest of the
conversation as a red herring.
However, where we came in was I said "But wouldn't it be nice if
browsers just automatically supported a phishing resistant password
scheme?" and you said "like a client cert?". Picking up from that
point: a client cert is not like a password, because I cannot memorise
my cert.
More information about the general
mailing list