<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Yes. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>“Pape” negotiation (vs OP-centric governance) is the
normal way to handle it (pape being a low end ciphersuite negotiation mechanism).
Then the parties remain as peers, and rp-centric federation models stay as
legitimate as op-centric federation models. Quite which one fits a particular
app is a operational matter.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> general-bounces@openid.net
[mailto:general-bounces@openid.net] <b>On Behalf Of </b>Paul Madsen<br>
<b>Sent:</b> Friday, March 20, 2009 7:32 AM<br>
<b>To:</b> Andrew Arnott<br>
<b>Cc:</b> general@openid.net<br>
<b>Subject:</b> Re: [OpenID] OpenID User Interface Working Group<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>isnt the domain of 'resistant to phishing' or not the domain
of PAPE?<br>
<br>
Andrew Arnott wrote: <o:p></o:p></p>
<div>
<p class=MsoNormal>You know what would be neat is if there was an OpenID
extension by which an RP can discover whether an OP deemed it safe to
have its login page be placed in an RP's iframe. OPs can place their
login pages in iframes totally safely, I'd say, if they took InfoCard as their
login credential.<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br clear=all>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire<br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Thu, Mar 19, 2009 at 7:07 PM, Allen Tom <<a
href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'>Hi Andrew,<br>
<br>
I am in total agreement with you that phishing is a huge problem, and the Yahoo
Membership team (the same folks working on OpenID) devotes a considerable
amount of resources to fight phishing, and well as trying to help users who have
been phished.<br>
<br>
We also put in a lot of effort to educate users about phishing, and we strongly
encourage our users to setup a personalized anti-phishing Sign-in Seal, as well
as to always check the address bar of the browser before entering their Yahoo
credentials.<br>
<br>
<a href="http://security.yahoo.com/article.html?aid=2006102503" target="_blank">http://security.yahoo.com/article.html?aid=2006102503</a><br>
<a href="https://protect.login.yahoo.com/" target="_blank">https://protect.login.yahoo.com/</a><br>
<a href="http://openid.yahoo.com/" target="_blank">http://openid.yahoo.com/</a>
(Click on the OpenID Tour link to learn about phishing and OpenID)<br>
<br>
We are totally against the concept of allowing an RP to open a frame for the
user to enter their OP's password. As you pointed out, the user would have no
idea where the password is going, and this would be extremely insecure. Earlier
versions of Facebook Connect used to demonstrate this behavior, and I'm very
glad to see that Facebook has since moved the password validation into a
standalone popup window, with the browser's addressbar clearly displayed.<br>
<br>
One of Yahoo's primary security requirements with Federated SSO (OpenID, OAuth,
BBAuth, SAML) is that the user is able to recognize the Yahoo Login screen. We
do this by educating users to always check the address bar and to create a
customized Sign-in Seal. The UI Working Group believes that a popup
authentication screen, in a standalone browser window (not framed) and with the
address bar clearly displayed, providers users with the same ability to detect
phishing compared to the existing full browser redirect user experience that is
used by OpenID today.<br>
<br>
>From a user experience perspective, eliminating the browser redirect
maintains the context of the RP's site, which is the biggest complaint that
we've received with BBAuth, OAuth, and OpenID. Facebook, Yahoo, many
others have UX research showing that the redirect is a very jarring experience,
and the success rate can be dramatically improved by moving to a popup flow.<br>
<br>
As far as I can tell, an independent popup window, with the address bar
displayed, has the same characteristics with regards to phishing, as the full
browser redirect. The popup window does not prevent OPs from deploying
anti-phishing technologies, and I believe that the popup will drive more
widespread usage of OpenID, which will also increase demand for anti-phishing
solutions.<br>
<br>
thanks<br>
Allen<br>
<br>
<br>
Nash, Andrew wrote:<br>
<br>
<o:p></o:p></p>
<p class=MsoNormal>One of the ways that we have been able to reduce the
incidence of<br>
successful account takeovers has been to drill into consumers that they<br>
should NEVER sign into an account on a domain that is not directly<br>
associated with the account provider. This is not perfect, but then none<br>
of the anti-phishing techniques are - it is why we have to spend so much<br>
money and utilize so many different strategies.<br>
<br>
As it reads, UI working group will be socializing the concept among<br>
users that it is perfectly fine to enter your authentication information<br>
at any site that pops up a frame asking for it. From an Internet trust<br>
perspective this is a REALLY BAD IDEA!<br>
<br>
OpenID is already criticized for its exposure to phishing and spoofing<br>
attacks. If this approach is taken in the way it seems to be described,<br>
we will pretty much ensure that no one that has medium to high value<br>
transactions or services will be interested in implementing OpenID.<br>
<br>
--Andrew<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<o:p></o:p></p>
<p class=MsoNormal><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<pre><o:p> </o:p></pre><pre style='text-align:center'>
<hr size=4 width="90%" align=center>
</pre><pre><o:p> </o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>general mailing list<o:p></o:p></pre><pre><a
href="mailto:general@openid.net">general@openid.net</a><o:p></o:p></pre><pre><a
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><o:p></o:p></pre><pre> <o:p></o:p></pre><pre><o:p> </o:p></pre><pre
style='text-align:center'>
<hr size=4 width="90%" align=center>
</pre><pre><o:p> </o:p></pre><pre>No virus found in this incoming message.<o:p></o:p></pre><pre>Checked by AVG. <o:p></o:p></pre><pre>Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM<o:p></o:p></pre><pre> <o:p></o:p></pre>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>-- <br>
<span style='font-size:10.0pt'>Paul Madsen<br>
e:paulmadsen @ ntt-at.com<br>
p:613-482-0432<br>
m:613-282-8647<br>
web:connectid.blogspot.com<br>
</span><a href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"><span
style='text-decoration:none'><img border=0 width=400 height=82 id="_x0000_i1027"
src="cid:image001.gif@01C9A92E.4E9F6AF0" alt=ConnectID></span></a><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>