On 2/2/07, john kemp <[EMAIL PROTECTED]> wrote: > Don't get me wrong - I think it's a good idea for the OP to make a > statement about the authentication method used (although I would prefer > it to say something like > authn_method="urn:openid:2.0:aqe:method:password", rather than > phishable="yes"). That points to AQE, as David mentioned already.
A browser plug-in, like sxipper, that uses a username and (a generated, non-user-visible) password internally and will only submit it to the correct OP can't be phished. Is this a different kind of authentication than "password"? I don't think so. Is it phishable? I think that the OP can reasonably say that it is not. Therefore, I think that the authentication mechanism is (or at least can be) independent from whether the authentication channel is phishable. Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs