[OpenID] Phishing resistant policy of PAPE
Peter Williams
pwilliams at rapattoni.com
Wed Oct 29 02:25:26 UTC 2008
phishing-resistant is nothing more than a category of pape-typed assertion one can make. Nothing more. If it's not true, the OP should not assert it.
If a credible party (google OP?) wants to assert that its OP behavior is phishing resistant (whatever google defines that to mean, and however it accomplishes it) so be it.
As I recall, the TrustBearer folk claim phishing resistance in their OP, since it's going to be tough for the RP (under the PAPE defn of phishing-resistant) to spoof the OP subscriber who, whilst talking to the OP, was using the required smartcard-based user-authentication handshake.
Now I built the Trustbearer myself, from firmware up. My smartcard (IBM) chip, my javacard firmware, my/TrustBearer's musclecard firmware/applet, and my RSA keygen - and then TrustBearer's auth handshake (leveraging an (signed) activeX remoting class)
----------
So why use the misleading label "phishing-resistant"? It offers
no resistance to the phishing attack above. It would be more
accurate to call it "Ben Laurie attack resistance".
Eric Norman
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list