[OpenID] Fwd: [OpenID Foundation] New Poll Opened

Breno de Medeiros breno at google.com
Fri Mar 20 19:51:44 UTC 2009 

Yes, I agree that the scope should be more symmetrical. For instance, RPs
might advertise support for popup if they want to accept unsolicited
assertions. As for the language, however, I see no need to duplicate
functionality available via AX/SRGE (at least not without a good argument).

On Fri, Mar 20, 2009 at 12:07 PM, Paul Madsen <paulmadsen at rogers.com> wrote:

>  Thanks Breno, the point I was trying to make was that, as I read it, the
> WG proposed scope allows for
>
> a) how the OP will advertise support for pop-up UI
> b) how the RP sends the hint as to language
>
> But not the other 'corners', i.e that also in scope is how the RP sends the
> UI hint or how the OP advertises support for different languages
>
> It just seems asymmetrical.
>
> paul
>
>
> Breno de Medeiros wrote:
>
>
>
> On Fri, Mar 20, 2009 at 11:14 AM, Paul Madsen <paulmadsen at rogers.com>wrote:
>
>> Thanks Allen, could you clarify something for me please? You describe the
>> two aspects of the extension (language and pop-up) both as hints from the RP
>> to the OP - these guiding the OP in building UI for the user.
>>
>> But the scope section of the WG proposal indicates that it is the OP that
>> indicates to the RP its support for a pop-up UI, rather than the RP
>> hinting/requesting that the OP build such a UI .....
>>
>
> As in other OpenID extensions, the OP indicates in its discovery document
> support for these features. RPs automatically discovery that the features
> are available and take advantage of them by sending hints to the OP in
> requests.
>
> The RP needs to know in advance that the OP supports popup UIs otherwise
> sending the request in a popup may result in suboptimal experience because
> the rendered UI is oversized.
>
>
>
>>
>>
>> Am I missing something?
>>
>> paul
>>
>> Allen Tom wrote:
>>
>>  Hi Paul,
>>
>> What the OP decides to display within the Popup is out of scope,
>> consistent with how the content the OP displays in the current redirect UI
>> is out of scope. The OpenID spec does not define the method used to
>> authenticate the user, so some OPs may use username/password, and others
>> might use other authentication techniques. As Breno mentioned earlier, the
>> popup is really not much different than the existing UI, except that it's in
>> a popup.
>>
>> I believe that that it is very prudent for OPs to educate their users
>> about phishing and security in general, and the text currently on MySpace's
>> homepage is a good example.
>>
>> The language hint and the popup UI are related in that they are both UI
>> attributes passed by the RP to the OP so that the OP can display an
>> authentication UI that is optimized for the RP's user experience. We intend
>> that the resulting UI Extension will allow the language preference and popup
>> to be implemented independently of each other. We expect that OPs can
>> advertise support for either language preference, popup, or both via
>> discovery.
>>
>> Thanks
>> Allen
>>
>>
>>
>>
>> Paul Madsen wrote:
>>
>> Allen, would not the fact that the content of the pop-up is specifically
>> declared out of scope in the WG proposal preclude guiding the OP to  provide
>> such warnings or, for instance, display a sign-in seal, in the pop-up ?
>>
>> Separately, a language hint from the RP is clearly orthogonal to the
>> question of pop-up/full window. Are there implications for them to be
>> conflated into a single extension, e.g. for metadata advertisement of
>> extension support?
>>
>> paul
>>
>> Allen Tom wrote:
>>
>> The popup window will be REQUIRED to display the address bar. OPs will be
>> strongly encouraged to educate their users to always pay attention to the
>> URL of the address bar before entering their credentials.
>>
>> In particular, I think MySpace does an excellent job on their home page:
>>
>> Always make sure you're visiting the real myspace.com!
>>
>>    1. Check the URL in your browser.
>>    2. Make sure it begins with http://www.myspace.com/
>>    3. If ANY OTHER PAGE asks for your info, DON'T LOG IN!
>>
>> Allen
>>
>>
>> SitG Admin wrote:
>>
>> Phishing still is a major concern, however, we do not think that the popup
>> window significantly changes the phishing scenarios compared to the existing
>> full browser window UIs today.
>>
>>
>> Are you speaking of full-size windows, here, or windows that have an
>> address bar in them? Pop-up windows that are missing this indication of what
>> site the user is at may reduce confusion by eliminating distractions, but
>> they also take away from the user's awareness of what's going on.
>>
>> -Shade
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> general mailing listgeneral at openid.nethttp://openid.net/mailman/listinfo/general
>>
>> ------------------------------
>>
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 7.5.557 / Virus Database: 270.11.19/2011 - Release Date: 19/03/2009 7:05 AM
>>
>>
>>
>> --
>> Paul Madsen
>> e:paulmadsen @ ntt-at.com
>> p:613-482-0432
>> m:613-282-8647
>> web:connectid.blogspot.com
>> [image: ConnectID]<http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
>>
>>
>>  ------------------------------
>>
>> No virus found in this incoming message.
>> Checked by AVG.
>> Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
>>
>>
>>
>> --
>> Paul Madsen
>> e:paulmadsen @ ntt-at.com
>> p:613-482-0432
>> m:613-282-8647
>> web:connectid.blogspot.com
>> [image: ConnectID]<http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
> ------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
>
>
>
> --
> Paul Madsen
> e:paulmadsen @ ntt-at.com
> p:613-482-0432
> m:613-282-8647
> web:connectid.blogspot.com
> [image: ConnectID] <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/a10f67fe/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/a10f67fe/attachment-0006.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/a10f67fe/attachment-0007.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/a10f67fe/attachment-0008.gif>

More information about the general mailing list