[OpenID] Phishing resistant policy of PAPE
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Wed Oct 29 00:30:39 UTC 2008
On 10/29/2008 01:41 AM, Breno de Medeiros:
> Take SSL: And
> moreover most users have not configured their browsers to check CRLs.
> So websites rely on clients to check CRLs, but they do not.
>
Just to set the record strait, but modern browsers check CRLs or consult
OCSP responders for validity by default. This is correct for IE7, FF3,
Opera and perhaps most others.
> PAPE is intended to assure honest RPs that the users are being
> authenticated with non-phishable credentials. PAPE is _not_ intended
> to protect users against phishing in general.
PAPE doesn't protect against anything, it gives an opinion about the
authentication methods used. There is no authority or standards body
confirming implementations.
> is only preventing phishing _of_the_credentials, not of anything else
> that the user volunteers to enter somewhere.
>
Correct.
> Again, PAPE is restricted to:
>
> --protection of login credentials
> --leverage non-phishable (or more general, security 'level' type of
> authentication) available in OP account to arrive at (non-phishable,
> 'security level' type of authentication) in RP accounts, assuming RP
> trusts the OP to implement these measures.
>
Indeed.
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/8253e724/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/8253e724/attachment-0002.bin>
More information about the general
mailing list