A quick comment:

  "... End User does not provide shared secrets to a party potentially
       under the control of the Relying Party ... "

So if the secret gets provided to any third party - so long as it's
not a party under control of the RP - it's *not* phishing ?

I think what everyone's trying to say is that "Phishing-Resistant"
means "End Users can't be tricked into giving things to the wrong
place"... is all the jargon/terminology/verbosity really necessary in
the definition?

Kind Regards,
Chris Drake

specs mailing list

Reply via email to