[OpenID] OpenID and SSO
Eric Norman
ejnorman at doit.wisc.edu
Sat Jun 28 13:35:31 UTC 2008
On Jun 27, 2008, at 10:54 PM, SitG Admin wrote:
>
> I took the "user actions" Eric Norman spoke of to be *types* of user
> action - such as checking a URL visually (to make sure it's their
> OP), typing in their Identity, and clicking a button (though I don't
> readily see how this would be a security measure).
Clicking on a button typically represents a decision on the
part of the user. E.g. do I want this process to continue?
This is one of the cognitive actions being asked of the
user and it's usually related to security.
> Another question
> is whether actions that Firefox takes on behalf of the user (such as
> filling in a field or notifying the user that this site's certificate
> doesn't match) can be treated as "user actions".
Just because the information received on the other end
appears to have been constructed by the user doesn't mean
that it actually was. The user actions I'm talking about
require that the user decides to perform some task.
In the case of the certificate warning, the user decision
is whether to continue or not.
> How about requiring the user to authenticate using multiple *literal*
> "domains"? Any one OP normally, but 2 or more in succession (that
> have previously been used) to make changes?
I would like such a feature. I doubt if any of my sisters
would think of it as anything other than harassment, though.
> At the far extreme end of the spectrum, the login process is
> initiated for any site the user visits and completed automatically
> with all requested fields.
True enough, and I'm arguing that what's described above is
at the low extreme end of the security spectrum.
Eric Norman
More information about the general
mailing list