[security] MyOpenID

[Dmitry Shechtman]

> I hope I'm not over-reacting here

But you are. There's nothing new about this issue, I mentioned it on my blog
a while ago.

> Was calling it a "public" persona not the right choice of words?  Is the
> following documentation, linked prominently from the box you must check
> to make a persona public, at all unclear or misleading?

It's not about the wording or the documentation. Nobody actually reads it.
I'm speaking out of experience with many users logging into phpbb-openid
demo boards and being genuinely surprised to find out that their email
addresses are publicly visible.

You shouldn't assume every user is intimately familiar with concepts such as
public personas. Here is just one recent illustration:

http://test2.phpbb.cc/viewtopic.php?p=15#15


> Right now I'm not sure who this "wakeup call" caught sleeping, or more
> importantly, how we could have prevented them from nodding off in the
> first place.

I guess I already answered the first bit. As for prevention, I believe the
default persona shouldn't become public automatically, and the "public"
checkbox should be accompanied by a clearly visible single-line warning.


Regards,
Dmitry
=damnian