Tuesday, June 10, 2008

Phishing Hole

You can get an 'anonymous' OpenID at http://www.jkg.in/openid (is it a coincidence that the URL almost spells out 'joking'?)

When you use such an OpenID at an RP, after providing the URI, you'll see only a flicker of web redirection before arriving back at the RP. No explicit authentication step, no consent step, no hassle.

Were this OP to fill in the PAPE blanks, which of the pre-canned policy identifiers should it use?

The PAPE definition for 'phishing resistant' is
An authentication mechanism where the End User does not provide a shared secret to a party potentially under the control of the Relying Party.

I assert/claim that as there is no shared secret, the End User surely can't provide it to a phisher, and so the above OP can claim 'phishing resistant'.

No comments: