[OpenID] Phishing resistant policy of PAPE

[Breno de Medeiros]

On Tue, Oct 28, 2008 at 5:30 PM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 10/29/2008 01:41 AM, Breno de Medeiros:
>
> Take SSL: And
> moreover most users have not configured their browsers to check CRLs.
> So websites rely on clients to check CRLs, but they do not.
>
>
> Just to set the record strait, but modern browsers check CRLs or consult
> OCSP responders for validity by default. This is correct for IE7, FF3, Opera
> and perhaps most others.
>
> PAPE is intended to assure honest RPs that the users are being
> authenticated with non-phishable credentials. PAPE is _not_ intended
> to protect users against phishing in general.
>
> PAPE doesn't protect against anything, it gives an opinion about the
> authentication methods used. There is no authority or standards body
> confirming implementations.

This is equivalent to say that non-EV SSL certificates do not protect
against anything, but EV certificates do because the implementations
are confirmed. Maybe you are comfortable with this statement, but I
suspect some might disagree.

>
> is only preventing phishing _of_the_credentials, not of anything else
> that the user volunteers to enter somewhere.
>
>
> Correct.
>
> Again, PAPE is restricted to:
>
> --protection of login credentials
> --leverage non-phishable (or more general, security 'level' type of
> authentication) available in OP account to arrive at (non-phishable,
> 'security level' type of authentication) in RP accounts, assuming RP
> trusts the OP to implement these measures.
>
>
> Indeed.
>
>
>
> Regards
>
> Signer:  Eddy Nigg, StartCom Ltd.
> Jabber:  startcom at startcom.org
> Blog:  Join the Revolution!
> Phone:  +1.213.341.0390
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)