On 2-Feb-07, at 7:05 AM, George Fletcher wrote: > but I'm still not sure how this helps with the phishing problem. > As you pointed out John, the issue is a rogue RP redirecting to a > rogue OP. So the rogue OP just steals the credentials and returns > whatever it wants.
In this case, the rogue RP is not interested at in the the auth response from the rogue OP (or for that matter from the legitimate OP); just in stealing the user's credentials. The phishing field prevents the phisher to later use these credentials on a legitimate RP (which will be contacting the legitimate OP) to impersonate the user -- if the RP enforces "phishable = no". Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs