On Fri, Apr 24, 2009 at 5:03 PM, Seth Fitzsimmons <[email protected]> wrote: > Good point. Might language on the authorization page explaining where > the phrase should have come from be the answer (it limits the > possibilities, but phishers are creative ones)?
Sure > Pre-generating > phrases would be tricky, as not all apps have the concept of > "identity" and may not have the opportunity to generate phrases > beforehand. I'd say that if the application has the concept of an identity it should be a sensible practice to generate it beforehand and educate its users to recognize it (it would work as an anti-phishing measure). I can think of three different cases here: 1. consumer has the concept of "identity", and want to protect the real identity: the phrase would be generated and known to the user before the OAuth dance (he would have been educated to see the phrase when authorizing) 2. consumer has the concept of "identity", and sends the requests presenting the user's identity (at the consumer site): non need to generate a phrase which would be simply a string representing the identity itself (maybe the username), the user would know that he has to see his identity on the authorize screen 3. consumer has not the concept of "identity": the service provider shows a BIG WARNING about not having received any identity information from the consumer, and advise the user to check if it has rightfully started the request. Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
