[security] Phishing-Resistant Authentication definition
Dick Hardt
dick at sxip.com
Wed Nov 21 05:09:08 UTC 2007
On 20-Nov-07, at 1:40 PM, David Recordon wrote:
> Do you have proposed wording for this?
not right now :-)
>
> It might also make sense to rename this policy to something like
> "No Shared Secret" and then also draft a second policy which allows
> shared secrets which are more resistant to phishing than
> passwords. In the end, not calling anything "phishing resistant"
> may be beneficial to resolving everyone's concerns.
Agreed that it will make it easier to get agreement. Not sure "No
Shared Secret" is the right one though. Being Phishing Resistant was
the driver for the policy though and the reason why people care.
Alternatively, we could change the protocol so that it is Phishing
Resistant without having to have an extension! :-)
-- Dick
More information about the specs
mailing list