[OpenID] Security related Use Cases?
Ben Laurie
benl at google.com
Wed Oct 22 17:31:32 UTC 2008
On Wed, Oct 22, 2008 at 6:11 PM, John Panzer <jpanzer at acm.org> wrote:
> Ben Laurie wrote:
>
> On Wed, Oct 22, 2008 at 3:52 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>
>
> OpenID does not specify how the user authenticates with their OP, so OPs
> which support hooks for client side authentication seem to address your
> concerns.
>
>
> Only if all of them do, and all client-side auth is consistent, and
> all clients support client-side auth, otherwise, well, it isn't
> consistent, and we've agreed that is bad.
>
> If my concerns were _actually_ addressed, there would be no phishing.
>
>
> I believe the point is that there's nothing in OpenID to stop the UX
> consistency campaign. Campaign away!
Sure. But saying a problem is out of scope for OpenID does not make
the problem go away! The fact that _some_ OPs can be consistent
doesn't help.
>
> But... your requirements above seem to imply that
>
> (1) We are using the same authentication UX for nuclear secrets as we do for
> logging in to a gossip site;
I don't think I said that - I said the UX for gossip sites has to be
consistent - and likewise the UX for nuclear secrets.
> (2) We have to get every browser / user agent, and every IdP, to buy into
> the same UX (at close to the same time) and train users on how to use the
> new UX.
I think we should be prepared to relax the "all" and "at the same
time" constraints to "eventually all" in order to make forward
progress. Bear in mind that for any particular user, the experience
must be the same. This does not mean it must be the same for all
users. Which gives us room for manoeuvre.
>
> So, while I cheer the campaign's ultimate goals, I think there's an
> underwear gnomes problem in the plan as stated.
>
> John
>
>
More information about the general
mailing list