XAuth critiques

Santosh Rajan santrajan at gmail.com
Tue Jun 8 06:31:07 UTC 2010 

Sorry to say this. Even though you think the situation is "overblown", I
think you have "really lost it", I think you have really gone "NUTS". I
think your own suggestion in an earlier post that you would like to go
australia, frankly, I thing, is a good idea and you should keep up with that
promise.

On Tue, Jun 8, 2010 at 10:47 AM, Eran Hammer-Lahav <eran at hueniverse.com>wrote:

>
>
> > -----Original Message-----
> > From: openid-specs-bounces at lists.openid.net [mailto:openid-specs-
> > bounces at lists.openid.net] On Behalf Of John Panzer
> > Sent: Monday, June 07, 2010 9:47 PM
>
> > (Note that exactly the same issues arise when downloading extensions.  JS
> is
> > just a way of delivering always-latest-version extensions to your
> browser.)
>
> Only in this case, the user is in full control over what extensions are
> being installed and updated in its browser.
>
> If Google, Yahoo, Microsoft, and the rest of the companies supporting the
> OpenID effort deployed the server-side half of this proposal, and spent a
> little money on developing plug-ins for all the major browsers (with Google
> and Microsoft able to also include it in the next release of their browser),
> it will create the tipping point in getting some form of identity selector
> in the browser.
>
> It was one thing for the OpenID community of 3 years ago to hack the
> protocol around the limitations of that time. These arguments are just
> insincere when they come from Google, now that you have a pretty successful
> browser (especially considering its age) and massively huge web footprint to
> promote such a feature.
>
> At the end, until you no longer use a script hosted in a single server,
> whoever is in control of this server can do whatever they like. Yes, if they
> do something bad it will be noticed, but that's like putting a bag full of
> cash on a street corner with a video camera next to it. Add to that the
> wealth of information the xauth.org site operator can gather without
> anyone's knowledge, this becomes a scary proposition.
>
> Your entire argument is that my concerns are "overblown", but not that the
> basic premise is incorrect. XAuth uses a single web server which is the most
> essential part of the proposal. The fact that the data itself isn't stored
> on that server (say, in a cookie sent to it) is an improvement over using
> cookies to store this data, but not by much.
>
> If this was something like the gravatar service - maybe. But you are asking
> for blind trust in something that is core to web security and privacy.
>
> EHL
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>



-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100608/2e833c40/attachment.html>

More information about the specs mailing list