[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

Chris Messina chris.messina at gmail.com
Wed Oct 22 23:10:48 UTC 2008


I'm unclear what you're saying -- security isn't my first language.

I'm only pointing out a behavior that's already observable in the wild
-- where you provide one identifier and Yahoo essentially discards the
whole thing and only looks at the domain and uses identifier select.

This may not be ideal or what's expected, but it's a practice that exists.

Chris

On Wed, Oct 22, 2008 at 4:07 PM, Peter Williams <pwilliams at rapattoni.com> wrote:
> I don't understand what follows below. If I type the bush id, assuming no delegation, then that is the claim I am seeking the rp to verify (by receiving an assertion from an op about bush id). An op's assertion url for roger rabbit doesn't count under the rp state machine.
>
> The only exception to this is the op identifier case.
>
> How an op decides you are entitled to assert control over an identifier is a local matter. Can logon with a piv card saying you are cheney, for all it matters. The rp will never know (unless pape is in use, perhaps).
>
> Isn't  that what openid requires?
>
> ----------
>
> Try signing in to Pibb.com using http://me.yahoo.com/georgebush
>
> If you're already signed in to your Yahoo account, you'll pick an
> existing identifier and proceed, and Pibb won't have any idea who
> http://me.yahoo.com/georgebush is.
>



-- 
Chris Messina
Citizen-Participant &
  Open Technology Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private



More information about the general mailing list