[OpenID] Phishing resistant policy of PAPE
Eric Norman
ejnorman at doit.wisc.edu
Tue Oct 28 22:47:26 UTC 2008
On Oct 28, 2008, at 5:09 PM, Breno de Medeiros wrote:
> On Tue, Oct 28, 2008 at 1:31 PM, Eric Norman <ejnorman at doit.wisc.edu>
> wrote:
>> It would be more
>> accurate to call it "Ben Laurie attack resistance".
>>
>
> PAPE enables the RP to ask the OP to employ a phishing-resistant form
> of authentication.
>
> PAPE does not prevent the user from being phished by dishonest RPs,
> but that is not a goal of the specification.
>
> -If the RP trusts the OP, and the OP asserts that it has employed a
> phishing-resistant form of authentication to authenticate _this_ user,
> then the RP is satisfied that the user is not using phished
> credentials. Do you object to this statement?
Yes. It is misleading. It fails to resist the phishing attack
that has been presented. See http://www.links.org/?p=187 for
why the above is a more accurate label.
Eric Norman
More information about the general
mailing list