On 2-Feb-07, at 12:25 PM, john kemp wrote: >> If the authentication mechanism is phishable, a good OP is >> supposed to >> say "phishable=yes". Otherwise it is cheating the user's trust. > > Yes, RPs will just have to trust assertions from an OP. But with > all due > respect, I just don't see how "the honour system" mitigates phishing.
I guess we could argue about where we see the trust. I see it between between the user and the OP. The RP only "trusts" (or rather accepts) the user's choice of an OP (and the assertions coming from it as representing the user). Johnny _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
