[OpenID] Combining Google & Yahoo user experience research

[SitG Admin]

>I care who my bank trusts.  If my money gets stolen because somebody 
>setup their own OP that requires no authentication (yes, security 
>through obscurity) and some attacker gained enough entry to the 
>bank's web app that they exploited a security flaw (let's face it... 
>Most security is perimeter-based and becomes less stringid 
>post-login), I'd be VERY angry with my bank.

I was thinking more along the lines of "If the bank offers liability 
(will cover losses) if I use *their* IDP, is that benefit worthwhile 
TO ME?".

>By allowing a bank, content provider, or anyone else access to my 
>money, personal information, even photos, I trust them to make wise 
>decisions about how to protect it.  Thus, I trust whomever they 
>trust.

Hold on, there's a gap in the logic here. I get that the second trust 
follows from the first. But where is the first coming from?

"I'd like to have your personal information, please. I can't steal 
your identity if someone else steals it first, so it's in my best 
interests to keep your personal information secret from everyone 
else."

But even if the bank, content provider, or "other" party is 
trustworthy, what makes them want to "protect" your information? I 
realize it's traditional to assume that;
http://www.schneier.com/blog/archives/2008/09/privacy_policie.html
But, seriously, isn't this an argument *for* user-controlled IDP's?

-Shade