[OpenID] Identity in the browser - IDIB
SitG Admin
sysadmin at shadowsinthegarden.com
Sat Aug 9 00:02:36 UTC 2008
>... and the problem is? ... they are becoming aware they have choice in OP.
Choices means a lot more if you learn you have them *before*
investing in one. The first such notification would be a good place
to inform the users about Identity - i.e. "If you use this URL as
your OpenID, it will be the 'name' people know you by. Would you like
to visit a few other sites you frequently use so this extension can
assemble a list of OP's you already have available?"
>btw: what else is given away with an identifier is why emails are a
>BAD idea to be the OpenID identifier.
I recently wrote about a similar danger here:
http://brad.livejournal.com/2357444.html?thread=14459076
Comment hasn't been approved yet, so you won't be able to see it;
here's an excerpt:
"The current E-mail verification model, though, *notifies the user*
when someone pings their address. Giving potentially malicious 3rd
parties the ability to stealthily probe networks for a given username
(without that user being aware of the attempt) creates an opportunity
for stalkers and data-miners to establish a profile of you without
being detected in the process."
There's also spam, and I again want a 404-style "Your message did not
arrive at its requested destination." error so spammers don't know
whether they were blocked or ignored or just found a nonexistent
address. It's one of the few security features for which their
absence has left me distinctly unimpressed with modern commercial
E-mail services.
-Shade
More information about the general
mailing list