<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>-----Original Message-----<br>
From: Ben Laurie [mailto:benl@google.com] <br>
Sent: Wednesday, October 22, 2008 2:52 AM<br>
To: Peter Williams<br>
Cc: Dick Hardt; OpenID List<br>
Subject: Re: [OpenID] Security related Use Cases?</p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>On Wed, Oct 22, 2008 at 1:59 AM,
Peter Williams <pwilliams@rapattoni.com> wrote:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>> Built into PC browser? -10<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Why?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>Eric mentioned the classical
reason already. Build it into every new PC browser release you like..(like the Microsoft
wallet and its support for payment-auth protocols? Remember that?) but you have
not addressed the browser in the 1 billion phones out there, the soap-based active
client on the corporate desktop, the non visual IE controls embedded in excel scripts,
and the millions of kiosks. its -10 vs -1 because it perpetuates a myth about
the omnipotence of the “next browser release”.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>Developers building the latest browser
components don't represent the reality of corporate or community deployment. Before
one can sign the outsourcing contract for 10,000 corporate users to migrate to
salesforce.com CRM and GoogleApps gmail, the system has work in all the ways
that Exchange/Novell/Lotus does/did ...with all those devices. In general, that
means supporting quite a lot of legacy stuff …so critical business
process don’t stop. I have 15% of users sitting at shared PCs, using a shared
account and shared cookie jar, on a win98-era LAN. (Thus, Yahoo-based machine-based
auth is out of the question.) If they are lucky, the machine is “modern”:
its running XP home edition, unpatched, with no virus checking. <o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>Developers properly think about
tomorrow. Deployers thing about today, and the cost of 1000 phone calls while
folks struggle to update their drivers, migrate their data, revise the BCP (25%
annual cost of IT, remember) and wonder what happens when their new Google
browser cannot work with their Apple phone (unlike yesterday, when it all at least
worked, albeit painfully achieved, with IE). SUN destroyed the public trust
with Java, since the reality is that change an JVM…and things DO BREAK
all the time (contrary to the pitch). I was suddenly unable to remotely admin
my cisco SSLVPN units from my PC, just last week… It cost us 4h incident
response time….<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText style='margin-left:.5in'>> In "site seal"
used at banks, you typically accept/recognize your seal/caption BEFORE you
supply password (during signon)!<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>So?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><span style='color:black'>It’s the opposite of the
assertion in Paul's claim: login first, then get the seal. In US current
account banking, you typically verify the seal (and also get past the anti-fraud
expert system) and then login - so as to mitigate password phishing and malicious
javascript. <o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>The call was for a consistent
UI (and UX, whatever that is). SO?, I pointed out the first inconsistency case.
Paul wants (a), deployed banking wants (b). The likelihood of deployed banking
migrating to future OpenID consistent UI doing (a) is somewhere close to zero. They
will stay consistent with best UI practice, agreed yesterday. If the browser plugin
enforces Paul’s “consistency” vision on good UI, banks will reject
that browser and go back to their own site design.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>In the medium term, new trends
will of course take effect, as they address legacy installs. But, its much
slower than you ever imagine.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><o:p> </o:p></p>
</div>
</body>
</html>