[OpenID] Phishing resistant policy of PAPE

Breno de Medeiros breno at google.com
Tue Oct 28 23:41:53 UTC 2008 

On Tue, Oct 28, 2008 at 3:47 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:
>
> On Oct 28, 2008, at 5:09 PM, Breno de Medeiros wrote:
>
>> On Tue, Oct 28, 2008 at 1:31 PM, Eric Norman <ejnorman at doit.wisc.edu>
>> wrote:
>
>>>   It would be more
>>> accurate to call it "Ben Laurie attack resistance".
>>>
>>
>> PAPE enables the RP to ask the OP to employ a phishing-resistant form
>> of authentication.
>>
>> PAPE does not prevent the user from being phished by dishonest RPs,
>> but that is not a goal of the specification.
>>
>> -If the RP trusts the OP, and the OP asserts that it has employed a
>> phishing-resistant form of authentication to authenticate _this_ user,
>> then the RP is satisfied that the user is not using phished
>> credentials. Do you object to this statement?
>
> Yes.  It is misleading.  It fails to resist the phishing attack
> that has been presented.  See http://www.links.org/?p=187 for
> why the above is a more accurate label.

The phishing attack that you presented above is not a phishing attack
that can be prevented. The protection PAPE provides is to the RP (and
by extension, to the user's RP account). Web and more generally
information security has a long tradition of defining restricted
security goals (e.g., one-sided authentication in SSL without client
certificates) that provide security only for a particular context and
set of players.

Take SSL: In over 99% of the use cases SSL does not provide mutual
authentication because no client-side certificates are used. And
moreover most users have not configured their browsers to check CRLs.
So websites rely on clients to check CRLs, but they do not. Therefore
it would be more proper to describe SSL as a
private-channel-negotiation-protocol-where-authentication-is-somewhat-better-than-that-provided-by-DNS-but-not-really-strong-because-users-do-not-pay-attention-to-the-padlock-icon-and-browsers-do-not-check-CRLs.
However, when people ask me to describe SSL in a nutshell, I say it is
a strong authentication protocol.

PAPE is intended to assure honest RPs that the users are being
authenticated with non-phishable credentials. PAPE is _not_ intended
to protect users against phishing in general. However, if the OP does
support authentication protocols that are non-phishable, users can
leverage PAPE to sign in to other sites also using non-phishable
credentials. If the RPs allow users to configure settings to only
accept login from OPs that the RP trusts to correctly implement
non-phishable authentication, then users can enjoy protection of those
RP-hosted accounts against phishing. However, even in that case, PAPE
is only preventing phishing _of_the_credentials, not of anything else
that the user volunteers to enter somewhere.

Again, PAPE is restricted to:

--protection of login credentials
--leverage non-phishable (or more general, security 'level' type of
authentication) available in OP account to arrive at (non-phishable,
'security level' type of authentication) in RP accounts, assuming RP
trusts the OP to implement these measures.

PAPE's value is that implementing, say, mutual-factor authentication
is expensive and RPs can leverage the OP capabilities to obtain
comparable benefit.

>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list