[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

SitG Admin sysadmin at shadowsinthegarden.com
Tue Oct 28 20:43:15 UTC 2008 

>If you do genuinely always go offline to read your email,

This wasn't my claim. I *can* go offline before reading, and do for 
suspicious messages, but haven't regularly logged off before reading 
since I stopped using dial-up ;)

>I'd expect that taking the round-trip to your email client to 
>confirm your email address -- something that will require you to 
>visit a URL and thus to go online again -- would be a benefit to you 
>rather than a hindrance.

I do still (and did) handle E-mail through one machine, web access 
through another. The machine that can handle E-mail has practically 
nonexistent browser support; as far as the machine that can handle 
the web is concerned, I have *never* entered an E-mail address. By 
isolating each specialized machine in this way, I benefit from 
additional layers of security, and all it costs me is a slight hit in 
speed when I have to copy some information across by hand. I never 
have to take the "web" machine offline to check E-mail, even if I 
disconnect the "mail" machine from all networks before opening a 
message.

>If you wanted to use this system at a domain of your own then you 
>would need to run, or have someone else run on your behalf, an email 
>verification service for your domain. This would require a public 
>HTTP server somewhere, but it could be completely separate from your 
>email services.

So it's all done in DNS?

My concern is mainly that, if users are accustomed to authenticating 
for their E-mail address through a (trusted) program on their 
(locally owned and controlled) home computer, they may suddenly get 
awfully suspicious when they are asked to enter their password on a 
website. One of the main benefits of handling everything locally is 
that they never need to risk their password in a browser! (My 
browser, on the 'web' machine, does not remember my E-mail password 
or the E-mail itself - nor can that information be extracted from it, 
since neither piece of information was ever available to it!) Another 
side effect is that the (trusted) program remembers my password 
independently of a browser reset, so I have not needed to know what 
my password is since the last time it was changed. Suddenly 
challenging users to enter their password across an interface they 
have never needed to risk before, when they may not even *recall* 
what their password IS, seems too much of a barrier.

-Shade

More information about the general mailing list