[OpenID] Abusing Authentication Failure messages

[SitG Admin]

>>>As an end-user, I would trust a site that claimed OpenID support 
>>>to guard my safety and privacy more if I knew the specification 
>>>required it to be stringent in the above matters.

>>What you have here is a legal issue: does your contract with the 
>>site *require* it to guard your safety and privacy?

>I disagree. What you have here is a branding issue.

>--
>"Elevator Inspection Certificate is on file in the Maintenance Office"

Yes, the legal basis of trust can be outsourced to a TTP, so you 
don't need to separately investigate a number of individual sites. 
Branding then enables ready recognition of a site's membership in 
that special club, which is special because not everyone *does* do it.

My counter-perspective is: "As an end-user, I would trust a site to 
guard my safety and privacy more if I knew that it was NOT required 
to be stringent in these matters, but had actively researched the 
protocols it was using, discovered possible vulnerabilities, and 
taken steps to counteract them."

Maarten's perspective is that mandatory compliance, not optional 
compliance, inspires more trust. This is where a blanket 
legally-binding contract would come in: it is possible to ride to the 
top floor in a certified elevator, and then fall through said floor 
upon stepping out of the elevator, because no [elevator] regulations 
governed the strength of the infrastructure surrounding it.

-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100823/b43ea851/attachment.html>