<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Peter, wrt the 1) view seal 2) login sequence, I'm actually aware of
how it works. I was simply (and glibly) suggesting that we shouldn't be
surprised if users don't, and so would therefore not be overly
concerned were a phisher to suggest the opposite order - especially
given that elsewhere they are typically conditioned to expect to first
login before seeing anything personalized.<br>
<br>
regards<br>
<br>
paul<br>
<br>
p.s. On your other point about banks & UI, as try as I might, I
can't
map what you wrote onto anything I've previously written, spoke, or
thought. There are other Paul's on the list, but they haven't posted
recently. Mistaken identity perhaps?<br>
<br>
Peter Williams wrote:
<blockquote
cite="mid:7FD5B754D66D9A489C584ECA4B32418F20EFC4FC@simmbox01.rapnt.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">-----Original
Message-----<br>
From: Ben Laurie [<a class="moz-txt-link-freetext" href="mailto:benl@google.com">mailto:benl@google.com</a>] <br>
Sent: Wednesday, October 22, 2008 2:52 AM<br>
To: Peter Williams<br>
Cc: Dick Hardt; OpenID List<br>
Subject: Re: [OpenID] Security related Use Cases?</p>
<p class="MsoPlainText" style="margin-left: 0.5in;"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">On Wed, Oct 22,
2008 at 1:59 AM,
Peter Williams <a class="moz-txt-link-rfc2396E" href="mailto:pwilliams@rapattoni.com"><pwilliams@rapattoni.com></a> wrote:<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">> Built into
PC browser? -10<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">Why?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;">Eric mentioned
the classical
reason already. Build it into every new PC browser release you
like..(like the Microsoft
wallet and its support for payment-auth protocols? Remember that?) but
you have
not addressed the browser in the 1 billion phones out there, the
soap-based active
client on the corporate desktop, the non visual IE controls embedded in
excel scripts,
and the millions of kiosks. its -10 vs -1 because it perpetuates a myth
about
the omnipotence of the “next browser release”.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;">Developers
building the latest browser
components don't represent the reality of corporate or community
deployment. Before
one can sign the outsourcing contract for 10,000 corporate users to
migrate to
salesforce.com CRM and GoogleApps gmail, the system has work in all the
ways
that Exchange/Novell/Lotus does/did ...with all those devices. In
general, that
means supporting quite a lot of legacy stuff …so critical business
process don’t stop. I have 15% of users sitting at shared PCs, using a
shared
account and shared cookie jar, on a win98-era LAN. (Thus, Yahoo-based
machine-based
auth is out of the question.) If they are lucky, the machine is
“modern”:
its running XP home edition, unpatched, with no virus checking. <o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;">Developers
properly think about
tomorrow. Deployers thing about today, and the cost of 1000 phone calls
while
folks struggle to update their drivers, migrate their data, revise the
BCP (25%
annual cost of IT, remember) and wonder what happens when their new
Google
browser cannot work with their Apple phone (unlike yesterday, when it
all at least
worked, albeit painfully achieved, with IE). SUN destroyed the public
trust
with Java, since the reality is that change an JVM…and things DO BREAK
all the time (contrary to the pitch). I was suddenly unable to remotely
admin
my cisco SSLVPN units from my PC, just last week… It cost us 4h
incident
response time….<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">> In "site
seal"
used at banks, you typically accept/recognize your seal/caption BEFORE
you
supply password (during signon)!<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left: 0.5in;">So?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="color: black;">It’s the opposite
of the
assertion in Paul's claim: login first, then get the seal. In US
current
account banking, you typically verify the seal (and also get past the
anti-fraud
expert system) and then login - so as to mitigate password phishing and
malicious
javascript. <o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;">The call was for
a consistent
UI (and UX, whatever that is). SO?, I pointed out the first
inconsistency case.
Paul wants (a), deployed banking wants (b). The likelihood of deployed
banking
migrating to future OpenID consistent UI doing (a) is somewhere close
to zero. They
will stay consistent with best UI practice, agreed yesterday. If the
browser plugin
enforces Paul’s “consistency” vision on good UI, banks will reject
that browser and go back to their own site design.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="color: black;">In the medium
term, new trends
will of course take effect, as they address legacy installs. But, its
much
slower than you ever imagine.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="color: black;"><o:p> </o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
<pre wrap="">
<hr size="4" width="90%">
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.549 / Virus Database: 270.8.2/1739 - Release Date: 22/10/2008 7:23 AM
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"><img
src="cid:part1.00080206.02080301@rogers.com" alt="ConnectID"
style="border: 0pt none ;"></a></div>
</body>
</html>