[security] Phishing-Resistant Authentication definition
Bradescu, Roxana
rbradescu at verisign.com
Wed Nov 21 05:12:41 UTC 2007
> Alternatively, we could change the protocol so that it is Phishing
Resistant without having to have an extension! :-)
There's a thought ;-)
Roxana Bradescu | VeriSign Innovation
-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Dick Hardt
Sent: Tuesday, November 20, 2007 9:09 PM
To: david at sixapart.com
Cc: OpenID specs list
Subject: Re: [security] Phishing-Resistant Authentication definition
On 20-Nov-07, at 1:40 PM, David Recordon wrote:
> Do you have proposed wording for this?
not right now :-)
>
> It might also make sense to rename this policy to something like
> "No Shared Secret" and then also draft a second policy which allows
> shared secrets which are more resistant to phishing than
> passwords. In the end, not calling anything "phishing resistant"
> may be beneficial to resolving everyone's concerns.
Agreed that it will make it easier to get agreement. Not sure "No
Shared Secret" is the right one though. Being Phishing Resistant was
the driver for the policy though and the reason why people care.
Alternatively, we could change the protocol so that it is Phishing
Resistant without having to have an extension! :-)
-- Dick
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list