[OpenID] Fwd: [OpenID Foundation] New Poll Opened
Ben Laurie
benl at google.com
Fri Mar 20 13:14:21 UTC 2009
On Fri, Mar 20, 2009 at 1:32 AM, John Bradley <john.bradley at wingaa.com> wrote:
> I am going to vote in favor of forming the WG.
> I have my own deep concerns about phishing attacks.
> However OP's that support Infocard, x509, OTP tokens, and
> other multi-factor authentication techniques should not be precluded from
> supporting this.
> I have has discussions on the discovery part of the proposed spec with the
> authors, and am OK with the work on that to this point.
> I will however vote against the final version if the popup is not at the
> OPs discretion via Discovery, and OPs are not required to use
> phishing resistant authentication in the popup.
Like western civilisation, this would be a very good idea (Gandhi).
What phishing resistant authentication did you have in mind?
> If this is not done correctly it will reenforce bad habits in users,
> and potentially negatively impact the perception of openID in general.
> I think it is a discussion worth having, but as most people would expect I
> am unconvinced that popups can be used for user-name and password logins by
> an OP.
> But hey Ben Laurie cant always chime in so I will play backup grumpy
> security guy:)
Thanks :-)
> Regards
> John Bradley
> On 19-Mar-09, at 6:11 PM, general-request at openid.net wrote:
>
> Date: Fri, 20 Mar 2009 03:09:03 +0200
> From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg at startcom.org>
> Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened
> To: SitG Admin <sysadmin at shadowsinthegarden.com>
> Cc: general at openid.net
> Message-ID: <49C2ECAF.5080804 at startcom.org>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
>
> On 03/20/2009 03:01 AM, SitG Admin:
>
> Phishing still is a major concern, however, we do not think that the
>
> popup window significantly changes the phishing scenarios compared to
>
> the existing full browser window UIs today.
>
> Are you speaking of full-size windows, here, or windows that have an
>
> address bar in them? Pop-up windows that are missing this indication
>
> of what site the user is at may reduce confusion by eliminating
>
> distractions, but they also take away from the user's awareness of
>
> what's going on.
>
>
>
> Wait! Isn't this supposed to be part of the WG itself? I'm not in favor
> of popup windows at all, however I think the discussions and arguments
> should go into the WG and I expect some surprising results because of
> it...it might be one of the few WGs which will not end up in an approved
> specification. Voting against the WG is refusing to discuss the problems
> at hand - both that of usability and security (and they don't have to go
> with each other always).
>
> Regards
> Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
> Blog: Join the Revolution! <http://blog.startcom.org>
> Phone: +1.213.341.0390
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list