[OpenID] Security related Use Cases?
Ben Laurie
benl at google.com
Wed Oct 22 09:54:29 UTC 2008
On Wed, Oct 22, 2008 at 3:52 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> OpenID does not specify how the user authenticates with their OP, so OPs
> which support hooks for client side authentication seem to address your
> concerns.
Only if all of them do, and all client-side auth is consistent, and
all clients support client-side auth, otherwise, well, it isn't
consistent, and we've agreed that is bad.
If my concerns were _actually_ addressed, there would be no phishing.
>
> Allen
>
> Ben Laurie wrote:
>>
>> So if we're going to embark on a UX consistency campaign, should we
>> not do it around authentication that actually is safe - that is:
>>
>> a) Built in to the browser, s.t. it can't be faked by webpages
>>
>> b) Does not reveal the user's password in the process of authentication?
>>
>> Continuing to try to prop up the house of cards that is authentication
>> on webpages seems counterproductive to me.
>>
>
>
More information about the general
mailing list