[OpenID] Phishing resistant policy of PAPE

Martin Atkins mart at degeneration.co.uk
Wed Oct 29 02:08:06 UTC 2008


Eric Norman wrote:
> 
> True enough.  And the so-called phishing resistance of OpenID doesn't
> change this.  I.e. it doesn't add any different signals that can't be
> faked by evil.com.  That's the point;  That's why I say the phrase
> is misleading.
> 

I don't know about anyone else, but I've always understood "phishing 
resistant" to mean that the authentication mechanism in use cannot be 
phished at all, even if the user doesn't watch out for the "signals".

The key requirement here is that nothing of value gets entered into the 
browser. How that is accomplished is obviously a matter for implementors.

Of course, PAPE applies only to the OpenID Authentication bit of the 
transaction. If the user subsequently enters a credit card number 
somewhere, there's little OpenID can do about it.





More information about the general mailing list