Hi, A quick comment:
"... End User does not provide shared secrets to a party potentially under the control of the Relying Party ... " So if the secret gets provided to any third party - so long as it's not a party under control of the RP - it's *not* phishing ? I think what everyone's trying to say is that "Phishing-Resistant" means "End Users can't be tricked into giving things to the wrong place"... is all the jargon/terminology/verbosity really necessary in the definition? Kind Regards, Chris Drake _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs