<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:10pt"><div style="font-family: arial,helvetica,sans-serif; font-size: 10pt;"><span style="font-family: arial,helvetica,sans-serif;">Well, ahem... this is a good observation to keep in mind, seems to me. No doubt everyone would acknowledge that saying OpenID is no different/worse than "forgotten password emails" is not something to lead with on a marketing message. Still, it is plausible to keep in mind that it can surely be used to assuage website operators specific doubts on occasion and refute various suggestions that OpenID is worse than what we already are enduring. The one phase I'd quibble with is 'deliberately bad...' 'Unavoidably bad' or 'necessarily bad' come to mind but deliberately bad suggests malice or intentionality.<br><br>Also, there is a murphy's law that has meaning in this
context. It goes something like this...don't make perfection the enemy of the very good. After all, nothing in the ID realm has yet to achieve perfection, as far as I'm aware...<br><br>cheers,<br>-bill<br><br><br>Simon Willison wrote (in part)...<br></span><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div><br>I don't feel too good about rejecting problems with OpenID by saying<br>"but e-mail has that problem too" - much better to offer real<br>solutions - but it's a pretty good way of explaining how it doesn't<br>make things any worse.<br><br>When you explain to people that forgotten password e-mails are just<br>SSO with a deliberately bad user experience, OpenID suddenly stops<br>seeming like such a radical proposition!<br><br>Interestingly, that argument works both ways. I can say that if a site<br>has forgotten password e-mails they have no excuse not to use OpenID,<br>but there are some sites (such
as banks) that DON'T do forgotten<br>password e-mails, presumably because they don't want to outsource<br>their security to their user's e-mail provider. The logical conclusion<br>then is that banks shouldn't support OpenID - at least not without<br>some kind of scheme for certifying providers that have bank-approved<br>levels of security.<br><br>Cheers,<br><br>Simon<br>_______________________________________________<br>marketing mailing list<br>marketing@openid.net<br><a target="_blank" href="http://openid.net/mailman/listinfo/marketing">http://openid.net/mailman/listinfo/marketing</a><br></div></div><br></div></div></body></html>