[dix] Re: Gathering requirements for in-browser OpenID support

[Pete Rowley]

Troy Benjegerdes wrote:
> On Mon, Oct 16, 2006 at 12:31:48PM -0700, Scott Kveton wrote:
>   
>> Hey Rob,
>>  
>>     
>>> I'm trying to gather requirements for OpenID support. I think I have a
>>> reasonable understanding of the draft, but part of the appeal of OpenID
>>> is that it doesn't necessarily require browser vendors to do anything :)
>>>
>>> I've seen the proposed 2617-style HTTP authentication scheme on the
>>> wiki. What else could browser vendors do to make OpenID a smoother
>>> experience for users?
>>>       
>> As I posted on the Mozilla wiki:
>>
>> http://wiki.mozilla.org/Firefox/Feature_Brainstorming#Identity
>>
>> I'd love to see some anti-phishing mojo baked into the browser.  If the user
>> could set their trusted IdP (or multiple as the case may be) in the browser
>> and then have the browser do something obvious when the users is presented
>> with an "untrusted" page asking for their password that would be great IMHO.
>>     
>
> I think there needs to be more overlap between the people on the OpenID
> list and people on the IETF DIX list... Both of these groups of people
> seem to have similiar ideas, and different approaches. A real solution
> to this distributed identity problem is going to involve both groups.
>
>   
If there is going to be a "mojo" in the browser then I think it ought to 
just take care of the authentication itself i.e. the site never gets an 
opportunity to be MITM because users appear to them to always be 
previously authenticated. I also think it _is_ a requirement that the 
browser vendors support this - right now you have to trust that the RP 
is a white hat.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061018/b26fe501/attachment-0002.bin>