On 1-Feb-07, at 2:36 PM, Granqvist, Hans wrote: >> Add a single, required, boolean field to the authentication >> response that specifies whether or not the method the OP used >> to authenticate the user is phishable. The specification will >> have to provide guidelines on what properties an >> authentication mechanism needs to have in order to be >> "non-phishable." The field is just meant to indicate that the >> authentication mechanism that was used is not a standard >> "secret entered into a Web form." > > The receiver should decide what is 'non-phishable', not the > sender, so it would be better if the OP just states what > mechanism was used, perhaps.
Per Kim's laws, how I authenticate to my OP is none of the RP's business. That I authenticated in a phishing resistant manner is. ie. we want the OP to make the statement that it followed certain anti-phishing guidelines. There is no certainty that the OP followed them, but the RP and user have recourse against an OP if the OP stated that it did follow the anti-phishing guidelines. -- Dick _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
