[OpenID] Phishing resistant policy of PAPE
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Oct 28 22:41:21 UTC 2008
>PAPE enables the RP to ask the OP to employ a phishing-resistant form
>of authentication.
>
>PAPE does not prevent the user from being phished by dishonest RPs,
>but that is not a goal of the specification.
>
>-If the RP trusts the OP, and the OP asserts that it has employed a
>phishing-resistant form of authentication to authenticate _this_ user,
>then the RP is satisfied that the user is not using phished
>credentials. Do you object to this statement?
I do. I would be satisfied that the user was *probably* not using
phished credentials, but not assign it the status of an absolute.
Also, when did the OP *begin* using this phishing-resistant form of
authentication? More importantly, have the user's credentials changed
since their level of security was upgraded?
-Shade
More information about the general
mailing list