Johnny Bufu wrote: > On 2-Feb-07, at 12:25 PM, john kemp wrote: >>> If the authentication mechanism is phishable, a good OP is >>> supposed to >>> say "phishable=yes". Otherwise it is cheating the user's trust. >> Yes, RPs will just have to trust assertions from an OP. But with >> all due >> respect, I just don't see how "the honour system" mitigates phishing. > > I guess we could argue about where we see the trust.
I guess we could, but I doubt that would be very fruitful for either of us ;) > I see it between > between the user and the OP. The RP only "trusts" (or rather accepts) > the user's choice of an OP (and the assertions coming from it as > representing the user). How about we focus on the proposal at hand? i) I think that it is a good idea to make some statement from the OP about the authentication method. Personally I would prefer something about the authentication method actually used, a la AQE. It would then be more apparent that the RP still has to make up its own mind about whether to accept the assertion, rather than simply trusting in the OP not to lie about whether the method is phishable. ii) I think adding security considerations in the actual specification, along the lines that Josh wrote in his original proposal would be a very good addition. An acknowledgment that there is the potential for this attack (among others), and a statement of possible mitigating factors would seem to be very important when RPs and OPs go to implement the specification. I believe that security considerations should be in the actual specification, not simply posted on the wiki, as there is a greater chance of an implementor reading them if they are with the core protocol spec. Regards, - John _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs