[OpenID] Phishing resistant policy of PAPE
Ben Laurie
benl at google.com
Wed Oct 29 10:35:00 UTC 2008
On Tue, Oct 28, 2008 at 10:41 PM, SitG Admin
<sysadmin at shadowsinthegarden.com> wrote:
>>PAPE enables the RP to ask the OP to employ a phishing-resistant form
>>of authentication.
>>
>>PAPE does not prevent the user from being phished by dishonest RPs,
>>but that is not a goal of the specification.
>>
>>-If the RP trusts the OP, and the OP asserts that it has employed a
>>phishing-resistant form of authentication to authenticate _this_ user,
>>then the RP is satisfied that the user is not using phished
>>credentials. Do you object to this statement?
>
> I do. I would be satisfied that the user was *probably* not using
> phished credentials, but not assign it the status of an absolute.
>
> Also, when did the OP *begin* using this phishing-resistant form of
> authentication? More importantly, have the user's credentials changed
> since their level of security was upgraded?
This is why we say "Similarly, sometimes using a phishing-resistant
method when a phishable method continues to also sometimes be employed
may still enable phishing attacks to compromise the OpenID."
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list