[security] Phishing-Resistant Authentication definition
David Recordon
drecordon at sixapart.com
Tue Nov 20 21:40:48 UTC 2007
Do you have proposed wording for this?
It might also make sense to rename this policy to something like "No
Shared Secret" and then also draft a second policy which allows shared
secrets which are more resistant to phishing than passwords. In the
end, not calling anything "phishing resistant" may be beneficial to
resolving everyone's concerns.
Thanks,
--David
On Nov 20, 2007, at 1:32 PM, Dick Hardt wrote:
> Recently this definition of Phishing-Resistant Authentication was
> proposed:
>
>>>
>>> · Phishing-Resistant Authentication
>>> An authentication mechanism where the End User does not provide
>>> shared secrets to a party potentially under the control of the
>>> Relying Party that could enable that party to then authenticate
>>> elsewhere as if it were the End User. (Note that the potentially
>>> malicious Relying Party controls where the User-Agent is
>>> redirected to and thus may not send it to the End User's actual
>>> OpenID Provider).
>
> Given the rise of nasty MITM malware, I hope that we all agree that
> PAPE is not intended to protect the user from malware on their own
> machine, but to protect the user from malicious websites. If so,
> would it make sense to enhance the definition to reflect this?
>
> -- Dick
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20071120/1a32c44a/attachment-0002.htm>
More information about the specs
mailing list