<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [OpenID] Abusing Authentication Failure
messages</title></head><body>
<div>>>>As an end-user, I would trust a site that claimed
OpenID support to guard my safety and privacy more if I knew the
specification required it to be stringent in the above matters.</div>
<div><br></div>
<div>>>What you have here is a legal issue: does your contract
with the site *require* it to guard your safety and privacy?</div>
<div><br></div>
<div>>I disagree. What you have here is a branding issue.</div>
<div><br></div>
<div>>--</div>
<div>>"Elevator Inspection Certificate is on file in the
Maintenance Office"</div>
<div><br></div>
<div>Yes, the legal basis of trust can be outsourced to a TTP, so you
don't need to separately investigate a number of individual sites.
Branding then enables ready recognition of a site's membership in that
special club, which is special because not everyone *does* do
it.</div>
<div><br></div>
<div>My counter-perspective is: "As an end-user, I would trust a
site to guard my safety and privacy more if I knew that it was NOT
required to be stringent in these matters, but had actively researched
the protocols it was using, discovered possible vulnerabilities, and
taken steps to counteract them."</div>
<div><br></div>
<div>Maarten's perspective is that mandatory compliance, not optional
compliance, inspires more trust. This is where a blanket
legally-binding contract would come in: it is possible to ride to the
top floor in a certified elevator, and then fall through said floor
upon stepping out of the elevator, because no [elevator] regulations
governed the strength of the infrastructure surrounding it.</div>
<div><br></div>
<div>-Shade</div>
</body>
</html>