[OpenID] Phishing resistant policy of PAPE

Breno de Medeiros breno at google.com
Tue Oct 28 22:09:31 UTC 2008 

On Tue, Oct 28, 2008 at 1:31 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:
>
> On Oct 28, 2008, at 3:17 PM, Breno de Medeiros wrote:
>
>> On Tue, Oct 28, 2008 at 1:03 PM, Eric Norman <ejnorman at doit.wisc.edu>
>> wrote:
>>>
>>> On Oct 28, 2008, at 1:09 PM, Paul Madsen wrote:
>>>
>>>>  FYI, PAPE 1.0-07 (the version under public review) [1] no longer
>>>> defines the phishing resistant policy in this manner.
>>>>
>>>>  Instead
>>>>
>>>>  "An authentication mechanism where a party potentially under the
>>>> control of the Relying Party can not gain sufficient information to
>>>> be
>>>> able to successfully authenticate to the End User's OpenID Provider
>>>> as
>>>> if that party were the End User."
>>>
>>> So let's see.
>>>
>>> I trick you into going to a site that you think is Amazon.com.
>>> Then I get you to type in your credit card number, which may
>>> involve having you type in a user name and password also.  I
>>> don't care what you type in as a password.  What I care about
>>> is that I now have your credit card number.
>>>
>>> I think this is called a phishing attack.  But according to
>>> the definition above, it's phishing resistant.  Note that even
>>> if Amazon uses OpenId, sends you to my real OP and you
>>> authenticate correctly,  I still can get your credit card
>>> number.  That's what I really want.  I don't care about getting
>>> your credentials as long as I can trick you into providing
>>> something of value.
>>>
>>> In other words, the definition above talks about authentication
>>> of the wrong party.  Either that or folks have some screwey
>>> notion of what phishing means.
>>
>> This phishing scenario you describe is not affected at all by use of
>> OpenID. ...
>
> Right.  That's part of the point.
>
>> The purpose of the PAPE extension is to allow honest RPs to specify
>> policies that indicate a higher level of confidence in the signup
>> procedure of the OP. In particular, it may request that the OP use a
>> phishing-resistant login procedure. It is NOT the purpose of PAPE to
>> stop phishing in general, which is an intractable problem.
>
> So why use the misleading label "phishing-resistant"?  It offers
> no resistance to the phishing attack above.  It would be more
> accurate to call it "Ben Laurie attack resistance".
>

PAPE enables the RP to ask the OP to employ a phishing-resistant form
of authentication.

PAPE does not prevent the user from being phished by dishonest RPs,
but that is not a goal of the specification.

-If the RP trusts the OP, and the OP asserts that it has employed a
phishing-resistant form of authentication to authenticate _this_ user,
then the RP is satisfied that the user is not using phished
credentials. Do you object to this statement?

> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list