<div class="gmail_quote">On Fri, May 1, 2009 at 6:19 PM, DeWitt Clinton <span dir="ltr"><<a href="mailto:dewitt@unto.net">dewitt@unto.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I agree that browser support is ultimately the best way to address the issue.<br></blockquote><div><br></div><div>Well, I think it's one essential way, for sure, but I think getting widespread deployment of such support will come in fits and starts, and so therefore can't be waited on. I know you know that, but it bears repeating.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>At SW Foo we briefly discussed an idea to drive client adoption of this not through openid, per se, but rather by trying to standardize the flow by enhancing HTML5 itself.</blockquote>
<div><br></div><div>This is certainly interesting and something that if it improves security in general seems worth pursuing.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>Something as simple as:<br><code style="font-family:courier new,monospace"><br> <form <b>type="login"</b> method="POST" action="<a href="http://example.com/login/" target="_blank">http://example.com/login/</a>"></code><code style="font-family:courier new,monospace"><br>
<!-- regular HTML username and password form here --></code><code style="font-family:courier new,monospace"><br> </form><br><br></code>Where the type="login" establishes a contract that allows the browser to replace the inner HTML with an implementation of choice that will POST a user's credentials, after the user allows it, to the action URL in a standardized format. ... The important thing is to standardize both the hint to the browser that it is a login form (i.e., the invented type="login") and the format of the data that is ultimately POSTed to the server.<br>
<div><div class="h5"></div></div></blockquote><div><br></div><div>I wonder about this "bait and switch" approach. Something about it just doesn't seem reasonable for a browser to do it's basically defying the intentions of the site owner (then again, they'd have to adopt the "type=login" code).</div>
<div><br></div><div>Perhaps an alternative would be a meta tag or something like a rel-authenticate, to indicate that the page could be authenticated against? In this way, the browser could pop a dialog like "would you like to signin/connect to this site?" Once the user closes the browser or indicates a desire to end her session, the browser would be able to sign the user out of all their active sessions; upon resuming, the browser could auto-authenticate the user the next time they revisit the page (similar to Luke's proposal to auto-sign you in today). </div>
<div><br></div><div>This seems more appropriate as the signin stuff perhaps shouldn't be in the webpage at all, but brought to the browser layer, where this will ALWAYS be a user present.</div><div><br></div><div>Chris</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div class="h5"><br><br><div class="gmail_quote">On Fri, May 1, 2009 at 10:47 AM, Brendan O'Connor <span dir="ltr"><<a href="mailto:openid@ussjoin.com" target="_blank">openid@ussjoin.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex"><div>On Fri, May 1, 2009 at 1:35 PM, Johannes Ernst<br>
<jernst+<a href="http://openid.net" target="_blank">openid.net</a>@<a href="http://netmesh.us" target="_blank">netmesh.us</a>> wrote:<br>
<br>
> If we could get the browser developers to add anything we wanted to their<br>
> browsers, what *exactly* would we want them to implement?<br>
> This is not outlandish. The Mozilla folks asked repeatedly in the past (and<br>
> we never knew what to say in response) and the security of a billion OpenIDs<br>
> is not a set of user requirements that's easily dismissed either.<br>
> It appears that it would be some kind of user interface element (think<br>
> "popup" for a minute) that could display the OP's authentication ceremony.<br>
> But where the browser would somehow "certify" that it was not a phishing<br>
> attempt and came from one of the user's trusted OPs. In a way that is better<br>
> than having the user to do a string compare on the URL shown in the address<br>
> bar.<br>
> What would such a user interface element look like? That's not limited to<br>
> what we can do without cooperation from the browser guys.<br>
> In Firefox, it could be sitting in the side bar for example. (where the<br>
> bookmarks are) Or ...?<br>
<br>
</div>Why not Seatbelt? I mean, naturally, a reimplemented version, but it<br>
seems to solve the UI/UX issues pretty nicely. It just sits quietly<br>
down in my status bar, and only pops up if I try to log in somewhere--<br>
and it always displays my current logged in / logged out status. And<br>
it can be configured for any OP.<br>
<br>
<<a href="https://addons.mozilla.org/en-US/firefox/addon/5133" target="_blank">https://addons.mozilla.org/en-US/firefox/addon/5133</a>><br>
<font color="#888888"><br>
---Brendan O'Connor<br>
</font><div><div></div><div>_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net" target="_blank">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
</div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://openid.net">openid.net</a> // <a href="http://vidoop.com">vidoop.com</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>