[OpenID] Security related Use Cases?
John Panzer
jpanzer at acm.org
Wed Oct 22 17:11:57 UTC 2008
Ben Laurie wrote:
> On Wed, Oct 22, 2008 at 3:52 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>
>> OpenID does not specify how the user authenticates with their OP, so OPs
>> which support hooks for client side authentication seem to address your
>> concerns.
>>
>
> Only if all of them do, and all client-side auth is consistent, and
> all clients support client-side auth, otherwise, well, it isn't
> consistent, and we've agreed that is bad.
>
> If my concerns were _actually_ addressed, there would be no phishing.
>
I believe the point is that there's nothing in OpenID to stop the UX
consistency campaign. Campaign away!
But... your requirements above seem to imply that
(1) We are using the same authentication UX for nuclear secrets as we do
for logging in to a gossip site;
(2) We have to get every browser / user agent, and every IdP, to buy
into the same UX (at close to the same time) and train users on how to
use the new UX.
So, while I cheer the campaign's ultimate goals, I think there's an
underwear gnomes problem in the plan as stated.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081022/ce525815/attachment-0002.htm>
More information about the general
mailing list