[OpenID] Phishing resistant policy of PAPE
Martin Atkins
mart at degeneration.co.uk
Wed Oct 29 02:08:06 UTC 2008
Eric Norman wrote:
>
> True enough. And the so-called phishing resistance of OpenID doesn't
> change this. I.e. it doesn't add any different signals that can't be
> faked by evil.com. That's the point; That's why I say the phrase
> is misleading.
>
I don't know about anyone else, but I've always understood "phishing
resistant" to mean that the authentication mechanism in use cannot be
phished at all, even if the user doesn't watch out for the "signals".
The key requirement here is that nothing of value gets entered into the
browser. How that is accomplished is obviously a matter for implementors.
Of course, PAPE applies only to the OpenID Authentication bit of the
transaction. If the user subsequently enters a credit card number
somewhere, there's little OpenID can do about it.
More information about the general
mailing list