<div dir="ltr">Nathan,<div><br></div><div>OpenID does not mandate that sites you log into automatically know anything at all about you except an identifier by which it can recognize you at your next visit. All other information, including the ability to recognize you as the same person who logged into some other web site, or any personal information like name or age is completely optional.</div>
<div><br></div><div>With none of that mandated, OpenID still gives you the ability to log in with just a single username and password across the web.<br><br><div class="gmail_quote">On Tue, Oct 21, 2008 at 12:57 PM, Nathan <span dir="ltr"><<a href="mailto:npoole@computrain-lap.com">npoole@computrain-lap.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">I just want to add that I like where you guys are Trying to go with all of<br>
this. But Do we really want to put an ID system on the internet?? To me this<br>
screams "Drivers License" or "State ID" only your trying to do this online.<br>
That is an extremely scary thought. I don't want to login to my favorite<br>
porn site or whatever kind of site and have website owner immediately have<br>
all of my personal information. Or for that matter how do you plan on<br>
keeping users of the open ID from tracking peoples website visiting habits?<br>
<br>
You guys really need to rethink all of this and really consider what you<br>
might be doing.<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On<br>
Behalf Of <a href="mailto:general-request@openid.net">general-request@openid.net</a><br>
Sent: Tuesday, October 21, 2008 3:00 PM<br>
To: <a href="mailto:general@openid.net">general@openid.net</a><br>
Subject: general Digest, Vol 26, Issue 57<br>
<br>
Send general mailing list submissions to<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:general-request@openid.net">general-request@openid.net</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:general-owner@openid.net">general-owner@openid.net</a><br>
<br>
When replying, please edit your Subject line so it is more specific than<br>
"Re: Contents of general digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Security related Use Cases? (Ben Laurie)<br>
2. Re: Security related Use Cases? (Peter Williams)<br>
3. Re: Security related Use Cases? (Breno de Medeiros)<br>
4. Re: Security related Use Cases? (Ben Laurie)<br>
5. Re: Security related Use Cases? (Paul Madsen)<br>
6. Re: Combining Google & Yahoo user experience research<br>
(Peter Williams)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 21 Oct 2008 19:02:11 +0100<br>
From: "Ben Laurie" <<a href="mailto:benl@google.com">benl@google.com</a>><br>
Subject: Re: [OpenID] Security related Use Cases?<br>
To: "Allen Tom" <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: Dick Hardt <<a href="mailto:dick@sxip.com">dick@sxip.com</a>>, OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<<a href="mailto:1b587cab0810211102k42db405awfafd5b5895478cca@mail.gmail.com">1b587cab0810211102k42db405awfafd5b5895478cca@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
> Paul Madsen wrote:<br>
>><br>
>> Even better 'please login so we can display your personalized seal'<br>
>><br>
><br>
> This is exactly why we want the Login UX to be very consistent, so<br>
> users should be very alarmed if the flow ever changes.<br>
<br>
So if we're going to embark on a UX consistency campaign, should we not do<br>
it around authentication that actually is safe - that is:<br>
<br>
a) Built in to the browser, s.t. it can't be faked by webpages<br>
<br>
b) Does not reveal the user's password in the process of authentication?<br>
<br>
Continuing to try to prop up the house of cards that is authentication on<br>
webpages seems counterproductive to me.<br>
<br>
><br>
> Allen<br>
><br>
><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 21 Oct 2008 11:04:52 -0700<br>
From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
Subject: Re: [OpenID] Security related Use Cases?<br>
To: Ben Laurie <<a href="mailto:benl@google.com">benl@google.com</a>>, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: Dick Hardt <<a href="mailto:dick@sxip.com">dick@sxip.com</a>>, OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<<a href="mailto:7FD5B754D66D9A489C584ECA4B32418F20EFC4DE@simmbox01.rapnt.com">7FD5B754D66D9A489C584ECA4B32418F20EFC4DE@simmbox01.rapnt.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Someone please tell the list what UX is?<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On<br>
Behalf Of Ben Laurie<br>
Sent: Tuesday, October 21, 2008 11:02 AM<br>
To: Allen Tom<br>
Cc: Dick Hardt; OpenID List<br>
Subject: Re: [OpenID] Security related Use Cases?<br>
<br>
On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
> Paul Madsen wrote:<br>
>><br>
>> Even better 'please login so we can display your personalized seal'<br>
>><br>
><br>
> This is exactly why we want the Login UX to be very consistent, so<br>
> users should be very alarmed if the flow ever changes.<br>
<br>
So if we're going to embark on a UX consistency campaign, should we not do<br>
it around authentication that actually is safe - that is:<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 21 Oct 2008 11:06:58 -0700<br>
From: "Breno de Medeiros" <<a href="mailto:breno@google.com">breno@google.com</a>><br>
Subject: Re: [OpenID] Security related Use Cases?<br>
To: "Allen Tom" <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: Dick Hardt <<a href="mailto:dick@sxip.com">dick@sxip.com</a>>, OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<<a href="mailto:29fb00360810211106w7d234439pd495ff8390ac7719@mail.gmail.com">29fb00360810211106w7d234439pd495ff8390ac7719@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
On Tue, Oct 21, 2008 at 9:26 AM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
> Ben Laurie wrote:<br>
><br>
> We do not allow the Yahoo Login screen to be framed,<br>
><br>
><br>
> Can you do that when JS is disabled?<br>
><br>
><br>
><br>
> No, JS must be enabled for the framebusting code to work. That being<br>
> said, our studies show that more than 99% percent of users have JS<br>
> enabled, and realistically speaking, users who disable JS for security<br>
> reasons are probably not going to get phished.<br>
<br>
IE allows you to create an iframe and disable JS inside the iframe.<br>
70-85% of users will be vulnerable to this attack.<br>
<br>
><br>
> Surely research has shown that these are completely ineffective? That<br>
> is, if the phisher replaces the seal with "sorry, our server is down<br>
> right now" most people go ahead and log in anyway.<br>
><br>
><br>
> The Sign-in Seal is intended to help users recognize the Yahoo Login<br>
Screen.<br>
> It is not intended to be a 100% foolproof solution, but rather it is<br>
> an extra factor for users who worry about phishing to have a greater<br>
> assurance that they're not being phished when entering their password.<br>
><br>
> Allen<br>
><br>
><br>
> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@openid.net">general@openid.net</a><br>
> <a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
><br>
><br>
<br>
<br>
<br>
--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Tue, 21 Oct 2008 19:12:02 +0100<br>
From: "Ben Laurie" <<a href="mailto:benl@google.com">benl@google.com</a>><br>
Subject: Re: [OpenID] Security related Use Cases?<br>
To: "Peter Williams" <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
Cc: Dick Hardt <<a href="mailto:dick@sxip.com">dick@sxip.com</a>>, OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<<a href="mailto:1b587cab0810211112p2659ca7ekda2a97b27cf70f09@mail.gmail.com">1b587cab0810211112p2659ca7ekda2a97b27cf70f09@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
On Tue, Oct 21, 2008 at 7:04 PM, Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
wrote:<br>
> Someone please tell the list what UX is?<br>
<br>
User experience.<br>
<br>
><br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>]<br>
> On Behalf Of Ben Laurie<br>
> Sent: Tuesday, October 21, 2008 11:02 AM<br>
> To: Allen Tom<br>
> Cc: Dick Hardt; OpenID List<br>
> Subject: Re: [OpenID] Security related Use Cases?<br>
><br>
> On Tue, Oct 21, 2008 at 5:28 PM, Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<br>
>> Paul Madsen wrote:<br>
>>><br>
>>> Even better 'please login so we can display your personalized seal'<br>
>>><br>
>><br>
>> This is exactly why we want the Login UX to be very consistent, so<br>
>> users should be very alarmed if the flow ever changes.<br>
><br>
> So if we're going to embark on a UX consistency campaign, should we<br>
> not do it around authentication that actually is safe - that is:<br>
><br>
><br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Tue, 21 Oct 2008 14:20:34 -0400<br>
From: Paul Madsen <<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>
Subject: Re: [OpenID] Security related Use Cases?<br>
To: Allen Tom <<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>
Cc: OpenID List <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID: <<a href="mailto:48FE1D72.6000501@rogers.com">48FE1D72.6000501@rogers.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>
<br>
Thanks Allen, yes I understand the premise, but I'm a Yahoo! user and,<br>
despite knowing better, I find myself very tolerant of 'not' seeing the seal<br>
(which I know I set up at some point, but can't remember if I removed it, or<br>
did I do it from another machine, or was it for a different account, or was<br>
it Google, etc ....)<br>
<br>
paul<br>
<br>
Allen Tom wrote:<br>
> Paul Madsen wrote:<br>
>> Even better 'please login so we can display your personalized seal'<br>
>><br>
> This is exactly why we want the Login UX to be very consistent, so<br>
> users should be very alarmed if the flow ever changes.<br>
><br>
> Allen<br>
><br>
><br>
><br>
<br>
--<br>
Paul Madsen e:paulmadsen @ <a href="http://ntt-at.com" target="_blank">ntt-at.com</a><br>
NTT p:613-482-0432<br>
m:613-282-8647<br>
aim:PaulMdsn5<br>
web:<a href="http://connectid.blogspot.com" target="_blank">connectid.blogspot.com</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Tue, 21 Oct 2008 11:27:39 -0700<br>
From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>
Subject: Re: [OpenID] Combining Google & Yahoo user experience<br>
research<br>
To: Martin Atkins <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>>, Paul Madsen<br>
<<a href="mailto:paulmadsen@rogers.com">paulmadsen@rogers.com</a>><br>
Cc: "<a href="mailto:general@openid.net">general@openid.net</a>" <<a href="mailto:general@openid.net">general@openid.net</a>><br>
Message-ID:<br>
<<a href="mailto:7FD5B754D66D9A489C584ECA4B32418F20EFC4DF@simmbox01.rapnt.com">7FD5B754D66D9A489C584ECA4B32418F20EFC4DF@simmbox01.rapnt.com</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
I understood that UCI (in the OpenID vs the Cardspace sense) to be about<br>
user empowerment. It exists to break the notion that FaceBook (or some other<br>
IDP) controls the portability of buddy list. I control my buddy list.<br>
Period. The OP is just a contractor, to me; handling my copyrighted data<br>
aggregation.<br>
<br>
For example, if Facebook decide that I violate their terms of contract, and<br>
suspend access without notice (or because the local secret police tell them<br>
to), there is no impact on me concerning my 2000 entries. I don't "suddenly"<br>
lose access to my social net, because of the IDPs policies. I get<br>
"portability" of my identity.<br>
<br>
This is obviously not something the traditional SAML world ever believed in.<br>
There, the IDP is the trustee of your attribute, guarding your privacy. But<br>
there is a cost, it gets control. It participates in governance regimes that<br>
may or may not suit you (even if they suit the public in general).<br>
<br>
----------<br>
<br>
My point about SP affiliations is that this particularly nice feature from<br>
more advanced SAML world allows one dominant spoke to rely on an OP, and<br>
then signal other affiliate member spokes about its renaming activities.<br>
What is OpenID delegation, other than a renaming of URIs (at certain OPs)?<br>
<br>
A cute way to have SAML and OpenID2 models converge would be to play with<br>
this idea, where only certain amounts of control are ceded by the user and<br>
that delegation is explicit. This user then has survivability, when the<br>
OP/IDP stops support him/her.<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: Martin Atkins [mailto:<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>]<br>
Sent: Monday, October 20, 2008 12:07 PM<br>
To: Paul Madsen<br>
Cc: Peter Williams; <a href="mailto:general@openid.net">general@openid.net</a><br>
Subject: Re: [OpenID] Combining Google & Yahoo user experience research<br>
<br>
Paul Madsen wrote:<br>
> Thanks, OpenID's delegation mechanism is undeniably powerful (not sure<br>
> I see the connection to SAML affiliations though?).<br>
><br>
> But the enhanced ability to switch IDPs isn't the 'user empowering<br>
> aspect' of OpenID I was asking about - rather the hardline view that a<br>
> User's choice of OP takes complete priority over whatever the RP might<br>
> think about the matter.<br>
><br>
> Is an RP ever declining a user specified OP compatible with your view<br>
> (at least my interpretation of) of user-centric?<br>
><br>
<br>
The RP can do whatever it likes, of course.<br>
<br>
It's up to the RP to decide whether they want my business enough to respect<br>
my decision as to which OP I trust. I'm unlikely to go get a new OP just<br>
because an RP doesn't like my current one. I'd just go find a competing RP.<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
<br>
End of general Digest, Vol 26, Issue 57<br>
***************************************<br>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br></div></div>