[OpenID] Combining Google & Yahoo user experience research

Sun Oct 19 16:28:28 UTC 2008

Can we have identity without trust?  Can we have trust without identity?  In
my mind, the two are interwoven.  When a person identifies themselves, we
need some element of trust (if we're in person and we've met them before,
our memory provides that trust, if not, a photo ID , etc.).  To rephrase,
I'd say that identity can technically exist without trust, but it's
meaningless to us humans.

Trust can also not exist without identity.  If you login to my web site, a
3rd party vouches for your claim of identity.  In order to trust this 3rd
party, I must know who they are.  If it's a random entity, then why should I
trust them?  It's like a driver's license.  It's only a valid form of ID
because it's certified by the government, and we know who the different
government entities are (DMV, Department of State, etc.).  If I were a
bouncer checking ID's, I'd be a bit suspicious if someone gave me a driver's
license issued by "State of MyFakeState".  The same goes for virtual
identity.  Why should I trust a random OP?

- Brandon

On Sat, Oct 18, 2008 at 12:23 AM, Chris Messina <chris.messina at gmail.com>wrote:

> I don't think that it's necessarily OpenID's job to solve these specific
> problems. It's really an identity protocol; trust, veracity and authenticity
> (in the human sense) are, by design (and by extension, politics) purposely
> kept out of scope.
> Several of our companies, mine included, operate in the space afforded by
> the adoption of a technology like OpenID, where you can choose to have
> increasing levels of complexity, encryption, circuity and sophistication to
> thwart those who would gain by attempting to act as though they were you.
>
> Whether you verify that you're human by receiving a $1 transaction or a 5
> character text message is actually an opportunity for innovation and
> research, and by promoting the adoption of OpenID as a common conduit, we
> enable the pre-conditions for such an industry to grow up with
> consumer-facing services (as opposed to enterprise).
>
> My girlfriend today commented that OpenID is too hard because it requires
> too many steps. She wasn't talking about the authentication dance -- and she
> didn't even mind typing in her blog address to sign in (she's delegated to
> ClaimID.com). Instead her gripe was with the form-filling process
> *immediately* following the sign in process where, even though her OpenID
> provider has her name, email, bio and a bunch of other choice tidbits, the
> relying party either didn't, or didn't know how to, ask for it from her IdP.
> And since she had to re-enter this data *yet* again, OpenID as a whole ended
> up looking bad.
>
> The point that I'm ultimately making here is that we could sit here all day
> arguing over the need to secure one's identity and how to do it, but for
> most people, that's self-referential bike shed painting.
>
> We need this stuff to just work and get out of the way (unless a user
> chooses otherwise), and no user interface research is going to be complete
> unless we also weigh the second order benefits of time-saving and smoother
> flows that can come by enhancing the standards-based identity technologies.
>
> To that end, I think we need to think beyond just authentication here, and
> look at what happens immediately AFTER you've signed in with OpenID. How can
> we make that experience intuitive, compelling, desirable and motivating? How
> can we get it in people's heads that the OpenID experience is the one that
> they WANT -- and the one that they should DEMAND from their favorite web
> services?
>
> If we can't improve even the basic sign up and sign in flows from where
> they are today, indeed, we will continue struggle with basic issues like
> awareness and adoption.
>
> Chris
>
>
> On Fri, Oct 17, 2008 at 8:50 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
>
>> This assurance/practice using email is essentially identical to the
>> infamous dollar auth transaction, against VisaNet. If one can get an auth
>> from VISA to allow the user a $1 credit, then you can infer the VISA number
>> is accurate, and in good standing. It implies identity verification (and you
>> can invoke fraud law against any law breakers).
>>
>> This it itself only a variant of a 100year old FBI trick, to induce
>> someone under prosecution threat to commit formal mail fraud ... so one can
>> get obtain leverage (incarceration, anal probing, association with the
>> explicit violence of gangland present in holding cells etc) during a plea
>> bargain over something much harder to prove.
>>
>>
>> Attack surfaces tend to be multi-level (and that's a pun).
>>
>>
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of Allen Tom
>> Sent: Friday, October 17, 2008 8:35 PM
>> To: Dick Hardt; OpenID List
>> Subject: Re: [OpenID] Combining Google & Yahoo user experience research
>>
>> Dick Hardt wrote:
>> >
>> > The UX of getting a verified email and then auto binding an existing
>> > account is cleaner. It does mean that if I can prove I have your email
>> > address, that I can take over your account. Seems to broaden the
>> > attack surface rather then narrow it.
>> >
>>
>> Hi Dick,
>>
>> Many sites allow an account's password to be reset by sending a Reset
>> Token to an email address associated with the account. An attacker who
>> gains access to the email address is able to reset the password, and is
>> therefore able to take over the account. If the ability to reset a
>> password is equivalent to logging in, then the attack surface is really
>> unchanged.
>>
>> Allen
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
>
>
> --
> Chris Messina
> Citizen-Participant &
>  Open Technology Advocate-at-Large
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081019/a79c0b7e/attachment-0002.htm>