Proposal: An anti-phishing compromise
Recordon, David
drecordon at verisign.com
Fri Feb 9 07:38:44 UTC 2007
Maybe laws are meant to be broken. I don't see why a RP knowing that I
used a token as a second factor is a bad thing. If nothing else, the
technology should support the OP providing that information and the OP's
implementation can let me as the user decide if I want to. Just like
the trust request, it isn't mandated by the spec but every worthwhile OP
does it.
My $0.02.
--David
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Dick Hardt
Sent: Sunday, February 04, 2007 11:42 PM
To: Granqvist, Hans
Cc: OpenID specs list
Subject: Re: Proposal: An anti-phishing compromise
On 1-Feb-07, at 2:36 PM, Granqvist, Hans wrote:
>> Add a single, required, boolean field to the authentication response
>> that specifies whether or not the method the OP used to authenticate
>> the user is phishable. The specification will have to provide
>> guidelines on what properties an authentication mechanism needs to
>> have in order to be "non-phishable." The field is just meant to
>> indicate that the authentication mechanism that was used is not a
>> standard "secret entered into a Web form."
>
> The receiver should decide what is 'non-phishable', not the sender, so
> it would be better if the OP just states what mechanism was used,
> perhaps.
Per Kim's laws, how I authenticate to my OP is none of the RP's
business.
That I authenticated in a phishing resistant manner is.
ie. we want the OP to make the statement that it followed certain
anti-phishing guidelines.
There is no certainty that the OP followed them, but the RP and user
have recourse against an OP if the OP stated that it did follow the
anti-phishing guidelines.
-- Dick
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list