On 9/1/07, <b class="gmail_sendername">Johannes Ernst</b> <<a href="mailto:jernst+openid.net@netmesh.us">jernst+openid.net@netmesh.us</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
For me at least, that's not the point. The point is: what can we do<br>to make it better? (without changing the low-cost economics)<br><br></blockquote></div><br>1. "Ping pong". OpenID depends on the user-agent's redirect
<br>mechanism and that's where most of the phishing risks appear.<br>Also, this complex user experience may hinder mass adoption.<br> <br>2. "I am not a URL." OpenID sees users as web resources, but <br>identifying yourself with a URL (any type) is geeky and a hurdle
<br>to wide adoption. <br><br>These are two issues that I haven't seen discussed in terms of <br>whether they are necessary in a user-centric protocol such <br>as OpenID. <br><br>Thanks,<br>Hans<br><br>-- <br>Hans Granqvist
<br>CTO<br>Phone: +1 (408) 524-1598<br><a href="http://www.yubico.com/">http://www.yubico.com/</a>