[security] Making phishing hard without changing UA side protocol

[Tan, William]

Hans Granqvist wrote:
> Just some quick thinking how phishing for passwords can
> be diminished without severely changing the protocol or
> enforcing UA plugins, etc.
>
> 1. The OP requires:
>     -- a RP must associate before the OP accepts it
>        (as a return_to/trustroot).
>     -- before OP allows such association, the RP must
>        provide an acceptable XRDS file(*).
>   
How would this help password phishing where the RP is rogue so it's not 
even going to bother contacting the OP at all?

> 2. The OP refuses to do a login at the same time
>     as an authentication. The user must be logged in
>     beforehand.
>
> Of course, 2. is a user education, but maybe not that
> hard to teach?
>   
This would be fairly inconvenient unless complimented with something 
else that others on the list have suggested, e.g.:
- bookmarklet that opens up a new page to authenticate
- some sort of plug-in that logs you in automatically
- external authentication


=wil