<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks Allen, could you clarify something for me please? You describe
the two aspects of the extension (language and pop-up) both as hints
from the RP to the OP - these guiding the OP in building UI for the
user.<br>
<br>
But the scope section of the WG proposal indicates that it is the OP
that indicates to the RP its support for a pop-up UI, rather than the
RP hinting/requesting that the OP build such a UI .....<br>
<br>
Am I missing something?<br>
<br>
paul<br>
<br>
Allen Tom wrote:
<blockquote cite="mid:49C3D19C.3060606@yahoo-inc.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Hi Paul,<br>
<br>
What the OP decides to display within the Popup is out of scope,
consistent with how the content the OP displays in the current redirect
UI is out of scope. The OpenID spec does not define the method used to
authenticate the user, so some OPs may use username/password, and
others might use other authentication techniques. As Breno mentioned
earlier, the popup is really not much different than the existing UI,
except that it's in a popup.<br>
<br>
I believe that that it is very prudent for OPs to educate their users
about phishing and security in general, and the text currently on
MySpace's homepage is a good example.<br>
<br>
The language hint and the popup UI are related in that they are both UI
attributes passed by the RP to the OP so that the OP can display an
authentication UI that is optimized for the RP's user experience. We
intend that the resulting UI Extension will allow the language
preference and popup to be implemented independently of each other. We
expect that OPs can advertise support for either language preference,
popup, or both via discovery.<br>
<br>
Thanks<br>
Allen<br>
<br>
<br>
<br>
<br>
Paul Madsen wrote:
<blockquote cite="mid:49C38BC6.4080705@rogers.com" type="cite">
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
Allen, would not the fact that the content of the pop-up is
specifically declared out of scope in the WG proposal preclude guiding
the OP to provide such warnings or, for instance, display a sign-in
seal, in the pop-up ?<br>
<br>
Separately, a language hint from the RP is clearly orthogonal to the
question of pop-up/full window. Are there implications for them to be
conflated into a single extension, e.g. for metadata advertisement of
extension support?<br>
<br>
paul<br>
<br>
Allen Tom wrote:
<blockquote cite="mid:49C2ED40.1080408@yahoo-inc.com" type="cite">
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
The popup window will be REQUIRED to display the address bar. OPs will
be strongly encouraged to educate their users to always pay attention
to the URL of the address bar before entering their credentials.<br>
<br>
In particular, I think MySpace does an excellent job on their home page:<br>
<br>
<h3>Always make sure you're visiting the real myspace.com!</h3>
<ol>
<li>Check the URL in your browser.</li>
<li>Make sure it begins with <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://www.myspace.com/">http://www.myspace.com/</a></li>
<li>If ANY OTHER PAGE asks for your info, DON'T LOG IN!</li>
</ol>
Allen<br>
<br>
<br>
SitG Admin wrote:
<blockquote cite="mid:f06110401c5e89af89b8c@%5B192.168.0.2%5D"
type="cite">
<blockquote type="cite">Phishing still is a major concern,
however,
we do not think that the popup window significantly changes the
phishing scenarios compared to the existing full browser window UIs
today. <br>
</blockquote>
<br>
Are you speaking of full-size windows, here, or windows that have an
address bar in them? Pop-up windows that are missing this indication of
what site the user is at may reduce confusion by eliminating
distractions, but they also take away from the user's awareness of
what's going on. <br>
<br>
-Shade <br>
</blockquote>
<br>
<pre wrap=""><hr size="4" width="90%">
_______________________________________________
general mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:general@openid.net">general@openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
<pre wrap=""><hr size="4" width="90%">
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.557 / Virus Database: 270.11.19/2011 - Release Date: 19/03/2009 7:05 AM
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<font size="-1">Paul Madsen<br>
e:paulmadsen @ ntt-at.com<br>
p:613-482-0432<br>
m:613-282-8647<br>
web:connectid.blogspot.com<br>
</font><a moz-do-not-send="true"
href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"><img
src="cid:part1.08020406.02060105@rogers.com" alt="ConnectID"
style="border: 0pt none ;"></a></div>
</blockquote>
<br>
<pre wrap="">
<hr size="4" width="90%">
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<font size="-1">Paul Madsen<br>
e:paulmadsen @ ntt-at.com<br>
p:613-482-0432<br>
m:613-282-8647<br>
web:connectid.blogspot.com<br>
</font><a href="http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1"><img
src="cid:part2.05040105.05010301@rogers.com" alt="ConnectID"
style="border: 0pt none ;"></a></div>
</body>
</html>