[OpenID] Replacing all browsers isn't as hard as it might seem...

[James A. Donald]

Bob Wyman:
 > > The fact that browsers have failed to provide us
 > > with the capabilities we need to provide our users
 > > with a safe browsing experience cannot be something
 > > that we simply accept and try to work around. This
 > > situation should be considered a scandal and the
 > > press should be filled with articles on the subject.
 > > The proper and correct course of action is, I think,
 > > to find means to force the browser developers to
 > > address better the most critical needs of the
 > > market. Too many people have lost too

Mike Beltzner
 > This statement bothers me, somewhat. It's impossible
 > for me to say this (as the only guy in the room who
 > works on a web browser for a living) without sounding
 > defensive, but ... I don't know why it's up to
 > web-browser vendors alone, or why browsers alone are
 > being made to blame. Why not ISPs, CAs, protocol and
 > technology specification authoring groups? Or banks
 > for continuing to email clients with links to their
 > web pages instead of clearly stating "we will never
 > email you a web link, ever, ever, ever!" Do you
 > similarly consider email clients to blame for allowing
 > spam or web scams, telephone manufacturers to blame
 > for allowing telephone scams, or banks to blame for
 > credit card fraud? Surely not on their own. The
 > failures that have led to the relative ease of
 > phishing, MITM, pharming, etc, should be shared
 > equally. The browser vendors can help and work with
 > these groups to make things better, and we can even
 > act in harmony to deprecate blatantly insecure
 > technologies (as we did by refusing to display certain
 > versions of SSL), but I don't think that it's only up
 > to us.

Phishing can only be fixed in the user agent.

We also have a closely related problem, too damn many
passwords.

The user agent needs to handle registration, login, and
website initiated messages to registrants.