[security] Making phishing hard without changing UA side protocol
Hans Granqvist
hgranqvist at verisign.com
Mon Jan 22 10:59:25 PST 2007
Just some quick thinking how phishing for passwords can
be diminished without severely changing the protocol or
enforcing UA plugins, etc.
1. The OP requires:
-- a RP must associate before the OP accepts it
(as a return_to/trustroot).
-- before OP allows such association, the RP must
provide an acceptable XRDS file(*).
2. The OP refuses to do a login at the same time
as an authentication. The user must be logged in
beforehand.
Of course, 2. is a user education, but maybe not that
hard to teach?
Does OpenID delegation change the assumptions?
-Hans
(*) The OP decides what is acceptable. The XRDS can
contain 3rd party-verifiable cryptographic tokens, for
example.
More information about the security
mailing list