[OpenID] Phishing resistant policy of PAPE
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Oct 28 22:57:54 UTC 2008
>Yes, I agree that the credentials issue is important. I assume that
>the RP trusts the OP because it has looked into how the OP implements
>the non-phishable authentication mechanism, and is satisifed with that
>level of assurance.
This could leave us with a dearth of RP-trusting-OP relationships.
But perhaps we can streamline this auditing process? If each
(serious, commercial) OP had an account type that could only be used
to authenticate a RP to itself, and there were standards on how to
set it up (via OpenID), a RP seeing some new OP could negotiate an
account there, run some tests to see how the OP did on anti-phishing
(or ping an admin to come test it), and very quickly respond to newly
introduced OP's.
If the phishing-resistance is *optional*, and the user logs in
somewhere, then thinks "Oh wait, that didn't look right, I wonder if
I've just been phished?" and types in their OP's URL to activate
their anti-phishing measures, that OP should at the very least start
notifying RP's of when this happened - I'd like to know so I can be
suspicious.
-Shade
More information about the general
mailing list