[OpenID] Phishing resistant policy of PAPE

Eric Norman ejnorman at doit.wisc.edu
Tue Oct 28 20:31:21 UTC 2008 

On Oct 28, 2008, at 3:17 PM, Breno de Medeiros wrote:

> On Tue, Oct 28, 2008 at 1:03 PM, Eric Norman <ejnorman at doit.wisc.edu> 
> wrote:
>>
>> On Oct 28, 2008, at 1:09 PM, Paul Madsen wrote:
>>
>>>  FYI, PAPE 1.0-07 (the version under public review) [1] no longer
>>> defines the phishing resistant policy in this manner.
>>>
>>>  Instead
>>>
>>>  "An authentication mechanism where a party potentially under the
>>> control of the Relying Party can not gain sufficient information to 
>>> be
>>> able to successfully authenticate to the End User's OpenID Provider 
>>> as
>>> if that party were the End User."
>>
>> So let's see.
>>
>> I trick you into going to a site that you think is Amazon.com.
>> Then I get you to type in your credit card number, which may
>> involve having you type in a user name and password also.  I
>> don't care what you type in as a password.  What I care about
>> is that I now have your credit card number.
>>
>> I think this is called a phishing attack.  But according to
>> the definition above, it's phishing resistant.  Note that even
>> if Amazon uses OpenId, sends you to my real OP and you
>> authenticate correctly,  I still can get your credit card
>> number.  That's what I really want.  I don't care about getting
>> your credentials as long as I can trick you into providing
>> something of value.
>>
>> In other words, the definition above talks about authentication
>> of the wrong party.  Either that or folks have some screwey
>> notion of what phishing means.
>
> This phishing scenario you describe is not affected at all by use of
> OpenID. ...

Right.  That's part of the point.

> The purpose of the PAPE extension is to allow honest RPs to specify
> policies that indicate a higher level of confidence in the signup
> procedure of the OP. In particular, it may request that the OP use a
> phishing-resistant login procedure. It is NOT the purpose of PAPE to
> stop phishing in general, which is an intractable problem.

So why use the misleading label "phishing-resistant"?  It offers
no resistance to the phishing attack above.  It would be more
accurate to call it "Ben Laurie attack resistance".

Eric Norman

More information about the general mailing list