[OpenID] Phishing resistant policy of PAPE

SitG Admin sysadmin at shadowsinthegarden.com
Tue Oct 28 22:57:54 UTC 2008


>Yes, I agree that the credentials issue is important. I assume that
>the RP trusts the OP because it has looked into how the OP implements
>the non-phishable authentication mechanism, and is satisifed with that
>level of assurance.

This could leave us with a dearth of RP-trusting-OP relationships. 
But perhaps we can streamline this auditing process? If each 
(serious, commercial) OP had an account type that could only be used 
to authenticate a RP to itself, and there were standards on how to 
set it up (via OpenID), a RP seeing some new OP could negotiate an 
account there, run some tests to see how the OP did on anti-phishing 
(or ping an admin to come test it), and very quickly respond to newly 
introduced OP's.

If the phishing-resistance is *optional*, and the user logs in 
somewhere, then thinks "Oh wait, that didn't look right, I wonder if 
I've just been phished?" and types in their OP's URL to activate 
their anti-phishing measures, that OP should at the very least start 
notifying RP's of when this happened - I'd like to know so I can be 
suspicious.

-Shade



More information about the general mailing list