Proposal: An anti-phishing compromise
Johnny Bufu
johnny at sxip.com
Fri Feb 2 20:33:05 UTC 2007
On 2-Feb-07, at 12:25 PM, john kemp wrote:
>> If the authentication mechanism is phishable, a good OP is
>> supposed to
>> say "phishable=yes". Otherwise it is cheating the user's trust.
>
> Yes, RPs will just have to trust assertions from an OP. But with
> all due
> respect, I just don't see how "the honour system" mitigates phishing.
I guess we could argue about where we see the trust. I see it between
between the user and the OP. The RP only "trusts" (or rather accepts)
the user's choice of an OP (and the assertions coming from it as
representing the user).
Johnny
More information about the specs
mailing list