Preamble: Please direct me to the right list, if you feel that this one isn't. But since this thread could lead to some small changes in the OpenID Spec, I thought I could as well post it here. --
Assume the following: * A browser can detect, that the currently loaded page is a login page for a certain identifier (that is: the page requests input of credentials) * The browser is able to identify that the input destination of such credentials is valid for the identifier in question * The browser is able to communcate to users, that they are about to enter credentials for that very identifier. Assume also: * Users can be educated to be suspicious about a certain class of login pages if those pages don't invoke browser interception. Proposition: ========= If the identifier in the above assumptions is an OpenID those assumptions suffice for such browser to make the login page phishing "proof". Please let's validate/discuss that statement. (but not the assumptions in the first place) If we find the proposition to be true, honing the OpenID 2.0 Spec should be possible. ( I have specific ideas... ) I also have a proof of concept firefox extension ready -- Boris _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
