[OpenID] Phishing resistant policy of PAPE
Eric Norman
ejnorman at doit.wisc.edu
Tue Oct 28 20:03:27 UTC 2008
On Oct 28, 2008, at 1:09 PM, Paul Madsen wrote:
> FYI, PAPE 1.0-07 (the version under public review) [1] no longer
> defines the phishing resistant policy in this manner.
>
> Instead
>
> "An authentication mechanism where a party potentially under the
> control of the Relying Party can not gain sufficient information to be
> able to successfully authenticate to the End User's OpenID Provider as
> if that party were the End User."
So let's see.
I trick you into going to a site that you think is Amazon.com.
Then I get you to type in your credit card number, which may
involve having you type in a user name and password also. I
don't care what you type in as a password. What I care about
is that I now have your credit card number.
I think this is called a phishing attack. But according to
the definition above, it's phishing resistant. Note that even
if Amazon uses OpenId, sends you to my real OP and you
authenticate correctly, I still can get your credit card
number. That's what I really want. I don't care about getting
your credentials as long as I can trick you into providing
something of value.
In other words, the definition above talks about authentication
of the wrong party. Either that or folks have some screwey
notion of what phishing means.
Eric Norman
More information about the general
mailing list