On 2-Feb-07, at 12:04 PM, john kemp wrote: > Johnny Bufu wrote: >>> If the OP has stolen the user's credentials, it can just say >>> "phishable >>> = no" and pass its assertion regarding those credentials to the RP. >> >> And the RP (being now a legitimate one), will perform verification on >> the assertion and will fail as it is not coming from the legitimate / >> authoritative OP. > > Sure, but then the (former) rogue OP will take the user's credentials > and log in, as the user, at the user's real OP (which will be > authoritative). The OP will assert that the user is logged in, and > that > the credentials weren't phished.
Then the real OP is obviously wrong, since the authentication was phished. If the authentication mechanism is phishable, a good OP is supposed to say "phishable=yes". Otherwise it is cheating the user's trust. >> Since the "rogue OP" is not authoritative for the phished user at any >> other RP, I rather see it as an extension of the rogue RP; it's >> basically the rogue RP that's proxying the output from the legitimate >> OP, so in a sense there's no real "rogue OP". > > Yes, I see your point, but after the OP is no longer rogue (is "just a > user"), it has both the user's OpenID and her credentials. But it won't be able to login to RPs that enforce "phishable=no", since the assertions will be coming from the real OP (which should say "phishable=yes"). Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs