Proposal: An anti-phishing compromise
john kemp
john.kemp at mac.com
Fri Feb 2 22:15:48 UTC 2007
Josh Hoyt wrote:
> On 2/2/07, john kemp <john.kemp at mac.com> wrote:
>> Don't get me wrong - I think it's a good idea for the OP to make a
>> statement about the authentication method used (although I would prefer
>> it to say something like
>> authn_method="urn:openid:2.0:aqe:method:password", rather than
>> phishable="yes"). That points to AQE, as David mentioned already.
>
> A browser plug-in, like sxipper, that uses a username and (a
> generated, non-user-visible) password internally and will only submit
> it to the correct OP can't be phished.
>
> Is this a different kind of authentication than "password"? I don't
> think so. Is it phishable? I think that the OP can reasonably say that
> it is not. Therefore, I think that the authentication mechanism is (or
> at least can be) independent from whether the authentication channel
> is phishable.
I will agree that the authentication channel might be separated from the
authentication method, as you have described those concepts. I'm not
sure if that's a meaningful distinction.
For example - in Sxipper, does the password get moved across the network
to the OP, or does Sxipper act as the OP (on the client side?) If the
former, then I'd argue that Sxipper password auth is slightly less
phishable, but not completely so. If the latter, then the trust is
/really/ only between the RP and the user.
- John
More information about the specs
mailing list