[OpenID] Phishing resistant policy of PAPE
Breno de Medeiros
breno at google.com
Tue Oct 28 22:44:54 UTC 2008
On Tue, Oct 28, 2008 at 3:41 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>> PAPE enables the RP to ask the OP to employ a phishing-resistant form
>> of authentication.
>>
>> PAPE does not prevent the user from being phished by dishonest RPs,
>> but that is not a goal of the specification.
>>
>> -If the RP trusts the OP, and the OP asserts that it has employed a
>> phishing-resistant form of authentication to authenticate _this_ user,
>> then the RP is satisfied that the user is not using phished
>> credentials. Do you object to this statement?
>
> I do. I would be satisfied that the user was *probably* not using phished
> credentials, but not assign it the status of an absolute.
>
> Also, when did the OP *begin* using this phishing-resistant form of
> authentication? More importantly, have the user's credentials changed since
> their level of security was upgraded?
Yes, I agree that the credentials issue is important. I assume that
the RP trusts the OP because it has looked into how the OP implements
the non-phishable authentication mechanism, and is satisifed with that
level of assurance.
>
> -Shade
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list