XAuth critiques

John Panzer jpanzer at google.com
Mon Jun 7 20:26:53 UTC 2010


On Mon, Jun 7, 2010 at 1:13 PM, SitG Admin
<sysadmin at shadowsinthegarden.com>wrote:

>  You're mis-characterizing the arguments here -- please read my blog post.
>>
>
> Read it.


Great!


> Intent differs from effect. Breaking privacy to encourage browsers to fix
> it for you is provocative, whether meant to be so or not.


OK.  To be clear, I do not believe that XAuth breaks privacy.  Therefore, I
don't believe browsers need to 'fix' it.  I believe that browsers, if given
a clear direction and an existing ecosystem that could be made better with
browser support, will do the right thing.  Without that clear direction and
existing ecosystem, I don't believe they will do anything.

I think it would be great to have a discussion about privacy and security
aspects of XAuth.  Which should start with a discussion about what attacks
we're worried about preventing, and how XAuth affects them.  As an example,
there could be a security concern that knowing that I have an active session
with Google may help phishers know which identity provider to simulate when
I go to their site.  Or, there may be a concern that XAuth will help sites
broadcast the fact that I have a "session" with them to the world, and thus
expose linkages I would prefer not to have exposed.  Or there may be worries
that XAuth would allow sites to 'spam' my list of available IdPs if they can
get me to visit them. These are all certainly issues, but they require
individual discussions, and it's not clear to me that moving functionality
to the browser affects any of these issues in a fundamental way.


>
>
>  That's fine, I'm just warning people that there's a larger echo chamber
>> effect beyond this one thread.
>>
>
> Thanks. I was only aware of xAuth to the extent that it has been mentioned
> on these (OpenID) lists.
>
>
>  I disagree that XAuth, as a protocol that people can agree to start using,
>> is centralized.  The initial _implementation_ relies on a central DNS name,
>> but that is an accident of today's browser limitations.  That's a huge
>> difference from saying that it's inherently centralized.
>>
>
> Agreed. I wasn't trying to say that it was *inherently* centralized, though
> this was my understanding of Eran's point originally; in my follow-up, I
> meant exactly what you said, that it starts this way (hence the "provoking
> browser vendors to fix it" bit).
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100607/29ae3283/attachment.html>


More information about the specs mailing list