[OpenID] Security related Use Cases?

Paul Madsen paulmadsen at rogers.com
Mon Oct 20 13:21:06 UTC 2008


Even better 'please login so we can display your personalized seal'


-----Original Message-----
From: Ben Laurie <benl at google.com>
Sent: October 20, 2008 8:20 AM
To: Allen Tom <atom at yahoo-inc.com>
Cc: Dick Hardt <dick at sxip.com>; OpenID List <general at openid.net>
Subject: Re: [OpenID] Security related Use Cases?

On Sat, Oct 18, 2008 at 4:40 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Dick Hardt wrote:
>> Have you tested the OP user experience with a malicious RP? ie. how
>> easy is it for a malicious RP to fool users to pretend they are your OP?
> This is exactly the reason why we require that the Yahoo Login screen
> always appear in the the entire browser window, with the address bar
> displaying https://login.yahoo.com.
>
> We do not allow the Yahoo Login screen to be framed,

Can you do that when JS is disabled?

> and we encourage
> all users, especially OpenID users to setup an anti-phishing Sign-in
> Seal, which is a customized image that's displayed next to the Login form


More information about the general mailing list