[security] Phishing-Resistant Authentication definition

Bajaj, Siddharth sbajaj at verisign.com
Wed Nov 21 08:40:56 UTC 2007 

Hi David/Dick and others,

I have been thinking about this and one way to resolve everybody's concern is to
define multiple policies. What we have been trying to do is to try and define a single
policy around phishing-resistance, while as pointed out by Kim, security is a
continuum.

We need to pick a few different points on that continuum that are meaningful. One
approach we can take is to define a few different levels of phishing resistance policies
such as 'phishing resistant level 1', 'phishing resistant level 2', etc. where each level
represents a point on the continuum.

For example -

Phishing resistant level 1 -
Use of some sort of phishing resistant credentials that are effective against the common
types of phishing attacks - offline phishing attacks.

Phishing resistant level 2 -
Requirements for level 1 plus some way for the web-site to authenticate itself to the user
such as shared picture image or EV certificate, etc.

Phishing resistant level 3 -
The highest level, where even the more sophisticated 'online' variety of phishing attacks
are mitigated.

Again the idea of this email is to propose an approach. Once we have agreement then we can
have a discussion around the number of levels and the exact definition of each.

Siddharth

CC: OSIS general list



> Date: Tue, 20 Nov 2007 13:40:48 -0800
> From: David Recordon ?drecordon at sixapart.com?
> Subject: Re: [security] Phishing-Resistant Authentication definition
> To: Dick Hardt ?dick at sxip.com?
> Cc: OpenID specs list ?specs at openid.net?
> Message-ID: ?2206FA7A-6A0E-488C-9A12-6A4530B3CA30 at sixapart.com?
> Content-Type: text/plain; charset="iso-8859-1"
>
> Do you have proposed wording for this?
>
> It might also make sense to rename this policy to something like "No
> Shared Secret" and then also draft a second policy which allows shared
> secrets which are more resistant to phishing than passwords.  In the
> end, not calling anything "phishing resistant" may be beneficial to
> resolving everyone's concerns.
>
> Thanks,
> --David
>
> On Nov 20, 2007, at 1:32 PM, Dick Hardt wrote:
>
> ? Recently this definition of Phishing-Resistant Authentication was
> ? proposed:
> ?
> ???
> ??? ?         Phishing-Resistant Authentication
> ??? An authentication mechanism where the End User does not provide
> ??? shared secrets to a party potentially under the control of the
> ??? Relying Party that could enable that party to then authenticate
> ??? elsewhere as if it were the End User. (Note that the potentially
> ??? malicious Relying Party controls where the User-Agent is
> ??? redirected to and thus may not send it to the End User's actual
> ??? OpenID Provider).
> ?
> ? Given the rise of nasty MITM malware, I hope that we all agree that
> ? PAPE is not intended to protect the user from malware on their own
> ? machine, but to protect the user from malicious websites. If so,
> ? would it make sense to enhance the definition to reflect this?
> ?
> ? -- Dick
> ? _______________________________________________
> ? security mailing list
> ? security at openid.net
> ? http://openid.net/mailman/listinfo/security
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://openid.net/pipermail/specs/attachments/20071120/1a32c44a/attachment-0001.htm
>

More information about the specs mailing list