Proposal: An anti-phishing compromise

[john kemp]

Johnny Bufu wrote:
> 
> On 2-Feb-07, at 12:04 PM, john kemp wrote:
>> Johnny Bufu wrote:
>>>> If the OP has stolen the user's credentials, it can just say
>>>> "phishable
>>>> = no" and pass its assertion regarding those credentials to the RP.
>>>
>>> And the RP (being now a legitimate one), will perform verification on
>>> the assertion and will fail as it is not coming from the legitimate /
>>> authoritative OP.
>>
>> Sure, but then the (former) rogue OP will take the user's credentials
>> and log in, as the user, at the user's real OP (which will be
>> authoritative). The OP will assert that the user is logged in, and that
>> the credentials weren't phished.
> 
> Then the real OP is obviously wrong, since the authentication was phished.
> 
> If the authentication mechanism is phishable, a good OP is supposed to
> say "phishable=yes". Otherwise it is cheating the user's trust.

Yes, RPs will just have to trust assertions from an OP. But with all due
respect, I just don't see how "the honour system" mitigates phishing.

> 
>>> Since the "rogue OP" is not authoritative for the phished user at any
>>> other RP, I rather see it as an extension of the rogue RP; it's
>>> basically the rogue RP that's proxying the output from the legitimate
>>> OP, so in a sense there's no real "rogue OP".
>>
>> Yes, I see your point, but after the OP is no longer rogue (is "just a
>> user"), it has both the user's OpenID and her credentials.
> 
> But it won't be able to login to RPs that enforce "phishable=no", since
> the assertions will be coming from the real OP (which should say
> "phishable=yes").

Don't get me wrong - I think it's a good idea for the OP to make a
statement about the authentication method used (although I would prefer
it to say something like
authn_method="urn:openid:2.0:aqe:method:password", rather than
phishable="yes"). That points to AQE, as David mentioned already.

Regards,

- John