[OpenID] Phishing resistant policy of PAPE

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Oct 29 01:38:05 UTC 2008


On 10/29/2008 02:43 AM, Breno de Medeiros:
>> PAPE doesn't protect against anything, it gives an opinion about the
>> authentication methods used. There is no authority or standards body
>> confirming implementations.
>>      
>
> This is equivalent to say that non-EV SSL certificates do not protect
> against anything, but EV certificates do because the implementations
> are confirmed.
>    

Non-EV certificates protect at least against MITM attacks, EV provide 
additionally identification according to the EV guidelines as defined by 
the EV/Browser forum. Non-EV may do that too, but not according to the 
same guidelines....but I guess this is the wrong forum for this kind of 
discussions.

However PAPE doesn't give and can't give any guaranties whatsoever. It 
provides an *opinion* of the provider concerning the implemented 
authentication methods. It's upon the RP to make the correct assessment 
concerning the information received. This is like self-signed 
certificates - it's a claim but you don't know for sure (except in the 
rare case you've got the fingerprint and you know the other party).


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/94c1137c/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/94c1137c/attachment-0002.bin>


More information about the general mailing list