On Mon, May 22, 2006 at 02:40:36PM -0400, Sam Hartman wrote: > Assume that examplebank.com is a financial institution that acts as an > identity provider for themselves and for business partners. If they > are given the ability to confirm that the website I'm going to is > allowed to accept their identity, then they can give me an error if I > attempt to use their identity with some random phishing site I got a > link to in email. > > You may disagree that this defense is important. However it is a > defense.
It amounts to a hook for white/black-listing. It can only really work well as a whitelist, and only if the list is kept very small. ISPs acting as IdPs may not want to be in the blacklisting business, and whitelisting won't be an option. So I see this as an optional feature, not a requirement. Nico -- _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
