[OpenID] FW: general Digest, Vol 26, Issue 57

Andrew Arnott andrewarnott at gmail.com
Tue Oct 21 20:39:17 UTC 2008 

Nathan,
OpenID does not mandate that sites you log into automatically know anything
at all about you except an identifier by which it can recognize you at your
next visit.  All other information, including the ability to recognize you
as the same person who logged into some other web site, or any personal
information like name or age is completely optional.

With none of that mandated, OpenID still gives you the ability to log in
with just a single username and password across the web.

On Tue, Oct 21, 2008 at 12:57 PM, Nathan <npoole at computrain-lap.com> wrote:

> I just want to add that I like where you guys are Trying to go with all of
> this. But Do we really want to put an ID system on the internet?? To me
> this
> screams "Drivers License" or "State ID" only your trying to do this online.
> That is an extremely scary thought. I don't want to login to my favorite
> porn site or whatever kind of site and have website owner immediately have
> all of my personal information. Or for that matter how do you plan on
> keeping users of the open ID from tracking peoples website visiting habits?
>
> You guys really need to rethink all of this and really consider what you
> might be doing.
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of general-request at openid.net
> Sent: Tuesday, October 21, 2008 3:00 PM
> To: general at openid.net
> Subject: general Digest, Vol 26, Issue 57
>
> Send general mailing list submissions to
>        general at openid.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://openid.net/mailman/listinfo/general
> or, via email, send a message with subject or body 'help' to
>        general-request at openid.net
>
> You can reach the person managing the list at
>        general-owner at openid.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of general digest..."
>
>
> Today's Topics:
>
>   1. Re:  Security related Use Cases? (Ben Laurie)
>   2. Re:  Security related Use Cases? (Peter Williams)
>   3. Re:  Security related Use Cases? (Breno de Medeiros)
>   4. Re:  Security related Use Cases? (Ben Laurie)
>   5. Re:  Security related Use Cases? (Paul Madsen)
>   6. Re:  Combining Google & Yahoo user experience research
>      (Peter Williams)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 21 Oct 2008 19:02:11 +0100
> From: "Ben Laurie" <benl at google.com>
> Subject: Re: [OpenID] Security related Use Cases?
> To: "Allen Tom" <atom at yahoo-inc.com>
> Cc: Dick Hardt <dick at sxip.com>, OpenID List <general at openid.net>
> Message-ID:
>        <1b587cab0810211102k42db405awfafd5b5895478cca at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> > Paul Madsen wrote:
> >>
> >> Even better 'please login so we can display your personalized seal'
> >>
> >
> > This is exactly why we want the Login UX to be very consistent, so
> > users should be very alarmed if the flow ever changes.
>
> So if we're going to embark on a UX consistency campaign, should we not do
> it around authentication that actually is safe - that is:
>
> a) Built in to the browser, s.t. it can't be faked by webpages
>
> b) Does not reveal the user's password in the process of authentication?
>
> Continuing to try to prop up the house of cards that is authentication on
> webpages seems counterproductive to me.
>
> >
> > Allen
> >
> >
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 21 Oct 2008 11:04:52 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: Re: [OpenID] Security related Use Cases?
> To: Ben Laurie <benl at google.com>, Allen Tom <atom at yahoo-inc.com>
> Cc: Dick Hardt <dick at sxip.com>, OpenID List <general at openid.net>
> Message-ID:
>        <7FD5B754D66D9A489C584ECA4B32418F20EFC4DE at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Someone please tell the list what UX is?
>
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Ben Laurie
> Sent: Tuesday, October 21, 2008 11:02 AM
> To: Allen Tom
> Cc: Dick Hardt; OpenID List
> Subject: Re: [OpenID] Security related Use Cases?
>
> On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> > Paul Madsen wrote:
> >>
> >> Even better 'please login so we can display your personalized seal'
> >>
> >
> > This is exactly why we want the Login UX to be very consistent, so
> > users should be very alarmed if the flow ever changes.
>
> So if we're going to embark on a UX consistency campaign, should we not do
> it around authentication that actually is safe - that is:
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 21 Oct 2008 11:06:58 -0700
> From: "Breno de Medeiros" <breno at google.com>
> Subject: Re: [OpenID] Security related Use Cases?
> To: "Allen Tom" <atom at yahoo-inc.com>
> Cc: Dick Hardt <dick at sxip.com>, OpenID List <general at openid.net>
> Message-ID:
>        <29fb00360810211106w7d234439pd495ff8390ac7719 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Oct 21, 2008 at 9:26 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> > Ben Laurie wrote:
> >
> > We do not allow the Yahoo Login screen to be framed,
> >
> >
> > Can you do that when JS is disabled?
> >
> >
> >
> > No, JS must be enabled for the framebusting code to work. That being
> > said, our studies show that more than 99% percent of users have JS
> > enabled, and realistically speaking, users who disable JS for security
> > reasons are probably not going to get phished.
>
> IE allows you to create an iframe and disable JS inside the iframe.
> 70-85% of users will be vulnerable to this attack.
>
> >
> > Surely research has shown that these are completely ineffective? That
> > is, if the phisher replaces the seal with "sorry, our server is down
> > right now" most people go ahead and log in anyway.
> >
> >
> > The Sign-in Seal is intended to help users recognize the Yahoo Login
> Screen.
> > It is not intended to be a 100% foolproof solution, but rather it is
> > an extra factor for users who worry about phishing to have a greater
> > assurance that they're not being phished when entering their password.
> >
> > Allen
> >
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 21 Oct 2008 19:12:02 +0100
> From: "Ben Laurie" <benl at google.com>
> Subject: Re: [OpenID] Security related Use Cases?
> To: "Peter Williams" <pwilliams at rapattoni.com>
> Cc: Dick Hardt <dick at sxip.com>, OpenID List <general at openid.net>
> Message-ID:
>        <1b587cab0810211112p2659ca7ekda2a97b27cf70f09 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Oct 21, 2008 at 7:04 PM, Peter Williams <pwilliams at rapattoni.com>
> wrote:
> > Someone please tell the list what UX is?
>
> User experience.
>
> >
> >
> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> > On Behalf Of Ben Laurie
> > Sent: Tuesday, October 21, 2008 11:02 AM
> > To: Allen Tom
> > Cc: Dick Hardt; OpenID List
> > Subject: Re: [OpenID] Security related Use Cases?
> >
> > On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> >> Paul Madsen wrote:
> >>>
> >>> Even better 'please login so we can display your personalized seal'
> >>>
> >>
> >> This is exactly why we want the Login UX to be very consistent, so
> >> users should be very alarmed if the flow ever changes.
> >
> > So if we're going to embark on a UX consistency campaign, should we
> > not do it around authentication that actually is safe - that is:
> >
> >
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 21 Oct 2008 14:20:34 -0400
> From: Paul Madsen <paulmadsen at rogers.com>
> Subject: Re: [OpenID] Security related Use Cases?
> To: Allen Tom <atom at yahoo-inc.com>
> Cc: OpenID List <general at openid.net>
> Message-ID: <48FE1D72.6000501 at rogers.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Thanks Allen, yes I understand the premise, but I'm a Yahoo! user and,
> despite knowing better, I find myself very tolerant of 'not' seeing the
> seal
> (which I know I set up at some point, but can't remember if I removed it,
> or
> did I do it from another machine, or was it for a different account, or was
> it Google, etc ....)
>
> paul
>
> Allen Tom wrote:
> > Paul Madsen wrote:
> >> Even better 'please login so we can display your personalized seal'
> >>
> > This is exactly why we want the Login UX to be very consistent, so
> > users should be very alarmed if the flow ever changes.
> >
> > Allen
> >
> >
> >
>
> --
> Paul Madsen             e:paulmadsen @ ntt-at.com
> NTT                     p:613-482-0432
>                        m:613-282-8647
>                        aim:PaulMdsn5
>                        web:connectid.blogspot.com
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 21 Oct 2008 11:27:39 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: Re: [OpenID] Combining Google & Yahoo user experience
>        research
> To: Martin Atkins <mart at degeneration.co.uk>, Paul Madsen
>        <paulmadsen at rogers.com>
> Cc: "general at openid.net" <general at openid.net>
> Message-ID:
>        <7FD5B754D66D9A489C584ECA4B32418F20EFC4DF at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I understood that UCI (in the OpenID vs the Cardspace sense) to be about
> user empowerment. It exists to break the notion that FaceBook (or some
> other
> IDP) controls the portability of buddy list. I control my buddy list.
> Period. The OP is just a contractor, to me; handling my copyrighted data
> aggregation.
>
> For example, if Facebook decide that I violate their terms of contract, and
> suspend access without notice (or because the local secret police tell them
> to), there is no impact on me concerning my 2000 entries. I don't
> "suddenly"
> lose access to my social net, because of the IDPs policies. I get
> "portability" of my identity.
>
> This is obviously not something the traditional SAML world ever believed
> in.
> There, the IDP is the trustee of your attribute, guarding your privacy. But
> there is a cost, it gets control. It participates in governance regimes
> that
> may or may not suit you (even if they suit the public in general).
>
> ----------
>
> My point about SP affiliations is that this particularly nice feature from
> more advanced SAML world allows one dominant spoke to rely on an OP, and
> then signal other affiliate member spokes about its renaming activities.
> What is OpenID delegation, other than a renaming of URIs (at certain OPs)?
>
> A cute way to have SAML and OpenID2 models converge would be to play with
> this idea, where only certain amounts of control are ceded by the user and
> that delegation is explicit. This user then has survivability, when the
> OP/IDP stops support him/her.
>
>
>
> -----Original Message-----
> From: Martin Atkins [mailto:mart at degeneration.co.uk]
> Sent: Monday, October 20, 2008 12:07 PM
> To: Paul Madsen
> Cc: Peter Williams; general at openid.net
> Subject: Re: [OpenID] Combining Google & Yahoo user experience research
>
> Paul Madsen wrote:
> > Thanks, OpenID's delegation mechanism is undeniably powerful (not sure
> > I see the connection to SAML affiliations though?).
> >
> > But the enhanced ability to switch IDPs isn't the 'user empowering
> > aspect' of OpenID I was asking about - rather the hardline view that a
> > User's choice of OP takes complete priority over whatever the RP might
> > think about the matter.
> >
> > Is an RP ever declining a user specified OP compatible with your view
> > (at least my interpretation of) of user-centric?
> >
>
> The RP can do whatever it likes, of course.
>
> It's up to the RP to decide whether they want my business enough to respect
> my decision as to which OP I trust. I'm unlikely to go get a new OP just
> because an RP doesn't like my current one. I'd just go find a competing RP.
>
>
>
>
> ------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> End of general Digest, Vol 26, Issue 57
> ***************************************
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081021/e359ef9a/attachment-0002.htm>

More information about the general mailing list