[OpenID] Fwd: [OpenID Foundation] New Poll Opened

Paul Madsen paulmadsen at rogers.com
Fri Mar 20 18:14:40 UTC 2009 

Thanks Allen, could you clarify something for me please? You describe 
the two aspects of the extension (language and pop-up) both as hints 
from the RP to the OP - these guiding the OP in building UI for the user.

But the scope section of the WG proposal indicates that it is the OP 
that indicates to the RP its support for a pop-up UI, rather than the RP 
hinting/requesting that the OP build such a UI .....

Am I missing something?

paul

Allen Tom wrote:
> Hi Paul,
>
> What the OP decides to display within the Popup is out of scope, 
> consistent with how the content the OP displays in the current 
> redirect UI is out of scope. The OpenID spec does not define the 
> method used to authenticate the user, so some OPs may use 
> username/password, and others might use other authentication 
> techniques. As Breno mentioned earlier, the popup is really not much 
> different than the existing UI, except that it's in a popup.
>
> I believe that that it is very prudent for OPs to educate their users 
> about phishing and security in general, and the text currently on 
> MySpace's homepage is a good example.
>
> The language hint and the popup UI are related in that they are both 
> UI attributes passed by the RP to the OP so that the OP can display an 
> authentication UI that is optimized for the RP's user experience. We 
> intend that the resulting UI Extension will allow the language 
> preference and popup to be implemented independently of each other. We 
> expect that OPs can advertise support for either language preference, 
> popup, or both via discovery.
>
> Thanks
> Allen
>
>
>
>
> Paul Madsen wrote:
>> Allen, would not the fact that the content of the pop-up is 
>> specifically declared out of scope in the WG proposal preclude 
>> guiding the OP to  provide such warnings or, for instance, display a 
>> sign-in seal, in the pop-up ?
>>
>> Separately, a language hint from the RP is clearly orthogonal to the 
>> question of pop-up/full window. Are there implications for them to be 
>> conflated into a single extension, e.g. for metadata advertisement of 
>> extension support?
>>
>> paul
>>
>> Allen Tom wrote:
>>> The popup window will be REQUIRED to display the address bar. OPs 
>>> will be strongly encouraged to educate their users to always pay 
>>> attention to the URL of the address bar before entering their 
>>> credentials.
>>>
>>> In particular, I think MySpace does an excellent job on their home page:
>>>
>>>
>>>       Always make sure you're visiting the real myspace.com!
>>>
>>>    1. Check the URL in your browser.
>>>    2. Make sure it begins with http://www.myspace.com/
>>>    3. If ANY OTHER PAGE asks for your info, DON'T LOG IN!
>>>
>>> Allen
>>>
>>>
>>> SitG Admin wrote:
>>>>> Phishing still is a major concern, however, we do not think that 
>>>>> the popup window significantly changes the phishing scenarios 
>>>>> compared to the existing full browser window UIs today.
>>>>
>>>> Are you speaking of full-size windows, here, or windows that have 
>>>> an address bar in them? Pop-up windows that are missing this 
>>>> indication of what site the user is at may reduce confusion by 
>>>> eliminating distractions, but they also take away from the user's 
>>>> awareness of what's going on.
>>>>
>>>> -Shade
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> No virus found in this incoming message.
>>> Checked by AVG. 
>>> Version: 7.5.557 / Virus Database: 270.11.19/2011 - Release Date: 19/03/2009 7:05 AM
>>>   
>>
>> -- 
>> Paul Madsen
>> e:paulmadsen @ ntt-at.com
>> p:613-482-0432
>> m:613-282-8647
>> web:connectid.blogspot.com
>> ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
>   

-- 
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/3558ba00/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/3558ba00/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/3558ba00/attachment-0005.gif>

More information about the general mailing list