<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Do you have proposed wording for this?<div><br class="webkit-block-placeholder"></div><div>It might also make sense to rename this policy to something like "No Shared Secret" and then also draft a second policy which allows shared secrets which are more resistant to phishing than passwords. In the end, not calling anything "phishing resistant" may be beneficial to resolving everyone's concerns.</div><div><br class="webkit-block-placeholder"></div><div>Thanks,</div><div>--David</div><div><br><div><div>On Nov 20, 2007, at 1:32 PM, Dick Hardt wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Recently this definition of Phishing-Resistant Authentication was proposed:<div><br><div><blockquote type="cite"><div><div><div><div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="blue" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "><o:p> </o:p></span></font></div><div style="text-indent: -0.25in; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="black" face="Symbol"><span lang="EN" style="font-size: 10pt; font-family: Symbol; color: black; "><span>·<font size="1" face="Times New Roman"><span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></font></span></span></font><font size="2" color="black" face="Verdana"><span lang="EN" style="font-size: 10pt; font-family: Verdana; color: black; ">Phishing-Resistant Authentication<o:p></o:p></span></font></div><p style="margin-bottom: 0.0001pt; margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="black" face="Verdana"><span lang="EN" style="font-size: 10pt; font-family: Verdana; color: black; ">An authentication mechanism where the End User does not provide shared secrets to a party potentially under the control of the Relying Party that could enable that party to then authenticate elsewhere as if it were the End User. (Note that the potentially malicious Relying Party controls where the User-Agent is redirected to and thus may not send it to the End User's actual OpenID Provider).</span></font></p></div></o:smarttagtype></div></span></blockquote></div></div></div></div></blockquote><br></div><div>Given the rise of nasty MITM malware, I hope that we all agree that PAPE is not intended to protect the user from malware on their own machine, but to protect the user from malicious websites. If so, would it make sense to enhance the definition to reflect this?</div><div><br class="webkit-block-placeholder"></div><div>-- Dick</div></div></div>_______________________________________________<br>security mailing list<br><a href="mailto:security@openid.net">security@openid.net</a><br>http://openid.net/mailman/listinfo/security<br></blockquote></div><br></div></body></html>