Proposal: An anti-phishing compromise

[Recordon, David]

Rogue RPs can already go and find RPs out there and manually look to see which just use usernames and passwords.  I don't see how providing this information actually makes the issue worse.  I agree that it makes it more apparent, but I'd hope that it would scare users and get them to go use a better OP.  An OP lying only hurts its users.

--David 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of Claus Färber
Sent: Friday, February 02, 2007 5:01 AM
To: specs at openid.net
Subject: Re: Proposal: An anti-phishing compromise

Recordon, David <drecordon at verisign.com> schrieb/wrote:
> Add a single, required, boolean field to the authentication response 
> that specifies whether or not the method the OP used to authenticate 
> the user is phishable. The specification will have to provide 
> guidelines on what properties an authentication mechanism needs to 
> have in order to be "non-phishable." The field is just meant to 
> indicate that the authentication mechanism that was used is not a 
> standard "secret entered into a Web form."

What should the RP do with that flag? If they lock out users who are "phishable", OP will simply start to lie about their "non-fishability".

The main problem, however, is that it actually adds to the phishing problem by providing rouge RPs valueable information about security risks.

Claus


_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs