On 7/11/07, <b class="gmail_sendername">Peter Williams</b> <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Ill advise the openid community Not to set its goals so low as to equate openid as that which one should associate with those sites that today do email auth (as proof of ID control).</blockquote><div><br>If an OP is using username/password, is there any reason to consider it more secure than email auth?
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">A decade ago , netscape+verisign issued over 1million consumers with ID credentials (ssl client certs also capable of signing netscape email). Only proof of control over an email account was required.
<br><br>This did Not engender adoption of client certs, contrary perhaps to intuition.</blockquote><div><br>I doubt those freebie client certs had much to do with the demise of client certs. However, I think lack of portability and security were killers.
<br><br>The average user doesn't think about too much about security, especially back in the day, but they want portability. The fact you couldn't transparently log in from your home machine, a work machine and a public library machine with a client cert was a major usability problem.
<br><br>Also, the fact that local password protected key stores could be hacked via a brute force attack actually made them less secure than username/password over SSL/TLS IMO since the private key store is exposed to trojans. There used to be a downloadable tool to crack the Netscape private key store which was fun to demo.
<br></div></div><br>-- <br>John Wang<br><a href="http://www.dev411.com/blog/">http://www.dev411.com/blog/</a>