Hi Breno,<br><br>But if the RP detects malicious activity, why would it ask the OP to have the user change their password? Isn't it too late by then, and wouldn't it be asking the malicious user to reset the password, thus locking out the real user?<br>
<br>Also, some OPs don't even use passwords to authenticate their users, so whatever we come up with, the extension should be able to behave reasonably in that case.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Wed, May 13, 2009 at 9:03 AM, Breno de Medeiros <span dir="ltr"><<a href="mailto:breno@google.com">breno@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Let's give a concrete scenario:<br>
<br>
1. RP detects malicious activity on the user's account at the OP.<br>
<br>
2. In such cases, the RP would have asked the user to reset the<br>
password. However, this user logs in via OpenID so the RP does not<br>
have the choice.<br>
<br>
3. The RP puts some messaging that the user should change their<br>
password at the OP. However, because there is no standard to even<br>
communicate which URL at the OP the user can change password, the<br>
experience is broken. A lot of users either don't know (without help<br>
from the OP) how to change their passwords.<br>
<br>
4. Users give up, or seek personal assistance.<br>
<div class="im"><br>
<br>
On Tue, May 12, 2009 at 8:17 PM, Santosh Rajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<br>
> Wouldnt it be better if the OP took complete responsibility of the users<br>
> security instead of bringing the RP into the loop? OP can decide based on<br>
> the users usage pattern how often he must change his password and post a<br>
> recommendation to the user whenever he logs in.<br>
<br>
<br>
<br>
</div><div class="im">--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
_______________________________________________<br>
</div><div><div></div><div class="h5">general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>