<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I am going to vote in favor of forming the WG.<div><br></div><div>I have my own deep concerns about phishing attacks.</div><div><br></div><div>However OP's that support Infocard, x509, OTP tokens, and other multi-factor authentication techniques should not be precluded from supporting this.</div><div><br></div><div>I have has discussions on the discovery part of the proposed spec with the authors, and am OK with the work on that to this point.</div><div><br></div><div>I will however vote against the final version if the popup is not at the OPs discretion via Discovery, and OPs are not required to use phishing resistant authentication in the popup.</div><div><br></div><div>If this is not done correctly it will reenforce bad habits in users, and potentially negatively impact the perception of openID in general.</div><div><br></div><div>I think it is a discussion worth having, but as most people would expect I am unconvinced that popups can be used for user-name and password logins by an OP.</div><div><br></div><div>But hey Ben Laurie cant always chime in so I will play backup grumpy security guy:)</div><div><br></div><div>Regards</div><div>John Bradley</div><div><br><div><div><div>On 19-Mar-09, at 6:11 PM, <a href="mailto:general-request@openid.net">general-request@openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px; ">Date: Fri, 20 Mar 2009 03:09:03 +0200<br>From: "Eddy Nigg (StartCom Ltd.)" <<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>><br>Subject: Re: [OpenID] Fwd: [OpenID Foundation] New Poll Opened<br>To: SitG Admin <<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>><br>Cc:<span class="Apple-converted-space"> </span><a href="mailto:general@openid.net">general@openid.net</a><br>Message-ID: <<a href="mailto:49C2ECAF.5080804@startcom.org">49C2ECAF.5080804@startcom.org</a>><br>Content-Type: text/plain; charset="utf-8"; Format="flowed"<br><br><br>On 03/20/2009 03:01 AM, SitG Admin:<br><blockquote type="cite"><blockquote type="cite">Phishing still is a major concern, however, we do not think that the<span class="Apple-converted-space"> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">popup window significantly changes the phishing scenarios compared to<span class="Apple-converted-space"> </span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">the existing full browser window UIs today.<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Are you speaking of full-size windows, here, or windows that have an<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">address bar in them? Pop-up windows that are missing this indication<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">of what site the user is at may reduce confusion by eliminating<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">distractions, but they also take away from the user's awareness of<span class="Apple-converted-space"> </span><br></blockquote><blockquote type="cite">what's going on.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><br>Wait! Isn't this supposed to be part of the WG itself? I'm not in favor<span class="Apple-converted-space"> </span><br>of popup windows at all, however I think the discussions and arguments<span class="Apple-converted-space"> </span><br>should go into the WG and I expect some surprising results because of<span class="Apple-converted-space"> </span><br>it...it might be one of the few WGs which will not end up in an approved<span class="Apple-converted-space"> </span><br>specification. Voting against the WG is refusing to discuss the problems<span class="Apple-converted-space"> </span><br>at hand - both that of usability and security (and they don't have to go<span class="Apple-converted-space"> </span><br>with each other always).<br><br>Regards<br>Signer:<span class="Apple-converted-space"> </span><span class="Apple-tab-span" style="white-space: pre; "> </span>Eddy Nigg, StartCom Ltd. <<a href="http://www.startcom.org">http://www.startcom.org</a>><br>Jabber:<span class="Apple-converted-space"> </span><span class="Apple-tab-span" style="white-space: pre; "> </span><a href="mailto:startcom@startcom.org">startcom@startcom.org</a> <<a href="xmpp:startcom@startcom.org">xmpp:startcom@startcom.org</a>><br>Blog:<span class="Apple-converted-space"> </span><span class="Apple-tab-span" style="white-space: pre; "> </span>Join the Revolution! <<a href="http://blog.startcom.org">http://blog.startcom.org</a>><br>Phone:<span class="Apple-converted-space"> </span><span class="Apple-tab-span" style="white-space: pre; "> </span>+1.213.341.0390<br></span></blockquote></div><br></div></div></body></html>