Recently this definition of Phishing-Resistant Authentication was
proposed:
ยท Phishing-Resistant Authentication
An authentication mechanism where the End User does not provide
shared secrets to a party potentially under the control of the
Relying Party that could enable that party to then authenticate
elsewhere as if it were the End User. (Note that the potentially
malicious Relying Party controls where the User-Agent is
redirected to and thus may not send it to the End User's actual
OpenID Provider).
Given the rise of nasty MITM malware, I hope that we all agree that
PAPE is not intended to protect the user from malware on their own
machine, but to protect the user from malicious websites. If so,
would it make sense to enhance the definition to reflect this?
-- Dick
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
