[OpenID] FB Connect, OpenID and UX - general Security Services

Peter Williams pwilliams at rapattoni.com
Tue Dec 16 13:56:04 UTC 2008 

It always fails.

VISA could make its universal card an id, tomorrow, but doesn't.

Client certs are built into the world's browsers, but folks won't use them (and its not THAT hard to make them manageable).

A billion wap-capable phones have a universal E.164 id, and GSM networks roam without losing id control by the provisioning network. Folks wont allow this to bind the phoneauth to websso to arbitrary web sites (without the wap proxy of course, these days) though.

What works well, tho (and we can actually do today, as third parties) is use the likes of myopenid's phone auth - wherein a click on the keypad becomes an openid assertion.

We investigate the economics of that phone auth (universal phone auth!) to myopenid/saml carefully. It's cute, but not economic if your community logs in 10 times a day, from a variety of PC hosts.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Martin Atkins
> Sent: Tuesday, December 16, 2008 1:21 AM
> To: Christian Scholz / Tao Takashi (SL)
> Cc: general at openid.net
> Subject: Re: [OpenID] FB Connect, OpenID and UX - general Security
> Services
>
> Christian Scholz / Tao Takashi (SL) wrote:
> > On Tue, Dec 16, 2008 at 9:53 AM, Alexandru Popescu ☀
> > <the.mindstorm.mailinglist at gmail.com> wrote:
> >> On Mon, Dec 15, 2008 at 11:23 PM, Steven Livingstone-Perez
> >> <weblivz at hotmail.com> wrote:
> >>> [snip /]
> >>>
> >>> I mean building AS PART of the browsers would be the logical way to
> do all
> >>> this, but as an alternative, an approach such as that provided by
> these
> >>> existing security companies could also work well. I mean the key
> issue is
> >>> knowing that the "service" doing all of the core identity work is
> trusted –
> >>> whether that be the browser itself or an external trusted
> application.
> >>>
> >> While, I do think this might work, lets keep in mind that asking
> >> people to install 3rd party tools is not usually showing a high rate
> >> of adoption. Secondly, the more 3rd party tools you are depending on
> >> means a lot more places to track possible vulnerabilities.
> >
> > And I think the only way to spread adoption is to actually built it
> > directly into the browser, not just as addon. There might also be a
> > trust issue involved as you usually trust your browser vendor more
> > than third party apps.
> >
>
> I believe the plan with the idib ("identity in browser") project was to
> build it as a browser extension first to figure out what OpenID support
> in the browser might look like and once there's a good working
> extension
> *then* push to get that added as a core browser feature.
>
> That was my understanding, at least.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list