[OpenID] Fwd: [OpenID Foundation] New Poll Opened
John Bradley
john.bradley at wingaa.com
Fri Mar 20 01:32:16 UTC 2009
I am going to vote in favor of forming the WG.
I have my own deep concerns about phishing attacks.
However OP's that support Infocard, x509, OTP tokens, and other multi-
factor authentication techniques should not be precluded from
supporting this.
I have has discussions on the discovery part of the proposed spec with
the authors, and am OK with the work on that to this point.
I will however vote against the final version if the popup is not at
the OPs discretion via Discovery, and OPs are not required to use
phishing resistant authentication in the popup.
If this is not done correctly it will reenforce bad habits in users,
and potentially negatively impact the perception of openID in general.
I think it is a discussion worth having, but as most people would
expect I am unconvinced that popups can be used for user-name and
password logins by an OP.
But hey Ben Laurie cant always chime in so I will play backup grumpy
security guy:)
Regards
John Bradley
On 19-Mar-09, at 6:11 PM, general-request at openid.net wrote:
> Date: Fri, 20 Mar 2009 03:09:03 +0200
> From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>
> Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened
> To: SitG Admin <sysadmin at shadowsinthegarden.com>
> Cc: general at openid.net
> Message-ID: <49C2ECAF.5080804 at startcom.org>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>
> On 03/20/2009 03:01 AM, SitG Admin:
>>> Phishing still is a major concern, however, we do not think that the
>>> popup window significantly changes the phishing scenarios compared
>>> to
>>> the existing full browser window UIs today.
>>
>> Are you speaking of full-size windows, here, or windows that have an
>> address bar in them? Pop-up windows that are missing this indication
>> of what site the user is at may reduce confusion by eliminating
>> distractions, but they also take away from the user's awareness of
>> what's going on.
>>
>>
>
> Wait! Isn't this supposed to be part of the WG itself? I'm not in
> favor
> of popup windows at all, however I think the discussions and arguments
> should go into the WG and I expect some surprising results because of
> it...it might be one of the few WGs which will not end up in an
> approved
> specification. Voting against the WG is refusing to discuss the
> problems
> at hand - both that of usability and security (and they don't have
> to go
> with each other always).
>
> Regards
> Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
> Blog: Join the Revolution! <http://blog.startcom.org>
> Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090319/23afe3b9/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090319/23afe3b9/attachment-0002.bin>
More information about the general
mailing list