This memo proposes requirements for protocols between web browsers
and relying parties at websites; these requirements also impact third
parties involved in the authentication process. These requirements
minimize the likelihood that criminals will be able to gain the
credentials necessary to impersonate a user or be able to
fraudulently convince users to disclose personal information. To
meet these requirements browsers must change. Websites must never
receive information such as passwords that can be used to impersonate
the user to third parties. Browsers should authenticate the website
to the browser as part of authenticating the user to the website.
Browsers MUST flag situations when this authentication fails and flag
situations when the target website is not authorized to accept the
identity being offered as this is a strong indication of fraud.
These requirements may serve as a basis for requirements for
preventing fraud in environments other than the web.