<div>Deron, </div>
<div> </div>
<div>I guess if the RP was trying to phish information and made the OP display text in French... this could be mitigated. If the user were already logged in, thus providing the simple OK button you mentioned, then the OP should ignore the RP's language recommendation because the OP knows what the real language preference is. If the user isn't logged in and the OP therefore knows nothing about the language preference (aside from the preferred HTTP header), then the OP could go ahead with the RP's suggestion,... until the user managed to log in. Then the language could revert to whatever the user Really preferred. So as long as the OP is coded correctly, I don't see much room for phishing attacks.<br>
</div>
<div class="gmail_quote">On Wed, Oct 29, 2008 at 12:29 PM, Deron Meranda <span dir="ltr"><<a href="mailto:deron.meranda@gmail.com">deron.meranda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">On Wed, Oct 29, 2008 at 3:19 PM, Martin Atkins <<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>> wrote:<br>> Deron Meranda wrote:<br>>><br>>> I'm not really sure of the whole point to the proposal anyway; isn't that<br>
>> what the HTTP Accept-Language header is for?<br>><br>> I believe the idea here is to arrange for the OP UI to appear in the same<br>> language as the RP regardless of how the RP determined language.<br>><br>
> However, I have before raised the concern that if I'm muddling my way<br>> through a site that's only available in French I'd still rather have my OP<br>> -- that, after all, knows more about me than the RP -- present its UI in<br>
> English, my primary language.<br><br></div>This probably should go in a separate thread if it gets much longer....<br><br>First, I'm wary of the RP telling the OP how to display things. It<br>could open up even more phishing issues. If the RP could tell the<br>
OP to display the login page in, say, Cherokee; then the end user<br>who can't read the page but sees the "ok" button is likely to grant<br>access when they didn't understand what they were doing. The<br>
RP in my opinion should have a minimal amount of influence over<br>how the OP communicates with the end user; including the language.<br><br>The OP should either know the user's preferred language because<br>he's already logged in, or should use the browser's Accept-Language<br>
header.<br><br>Now, IF, the RP did need to pass a language, couldn't that be<br>done by sending an HTTP Accept-Language header along<br>with the GET/HEAD during the XRDS discovery phase... the OP<br>could then potentially send back different XRDS resources based<br>
on the language, if it wanted to.<br>--<br><font color="#888888">Deron Meranda<br></font>
<div>
<div></div>
<div class="Wj3C7c">_______________________________________________<br>general mailing list<br><a href="mailto:general@openid.net">general@openid.net</a><br><a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>