Discovery of an OpenID session at an OP

Chris Obdam chris.obdam at holder.nl
Tue Dec 15 17:58:32 UTC 2009 

> It's a good opportunity to look at what attack vectors this
> has enabled in the real world before throwing the usability baby out
> with the security bathwater.
And for not throwing the usabilty baby out I gave a +1 to John ;-)

> 
> --
> John Panzer / Google
> jpanzer at google.com / abstractioneer.org / @jpanzer
> 
> 
> 
> 
> On Tue, Dec 15, 2009 at 9:12 AM, Breno de Medeiros <breno at google.com> wrote:
>>> 
>>> So could you please clarify whether you are saying you agree with John's
>>> intended main point, that OPs could (should?) address this with a privacy
>>> mechanism (in which case I'm curious whether you think the foundation and spec
>>> should require or encourage such mechanisms) *or* whether you think the
>>> DOM/JS flaw means OpenID shouldn't worry about user privacy?
>>> 
>> 
>> I think John's point is that the mechanism to protect privacy should
>> be optionally available to OPs: There should be a rule to allow OPs to
>> push this information without user consent.
>> 
>> John anchored this point on the fact that the information is already
>> available via DOM/JS tricks. I think that these DOM/JS tricks are not
>> difficult to be fixed on the client side so I would prefer not to make
>> arguments for how to move forward based on accidental circumstances.
>> Regardless of the justification, one could argue that OPs should not
>> be mandated to implement the privacy solution because they may know
>> better what their consumers want. That is good as it goes, but we
>> should still make sure that the design makes it easy for RPs to
>> implement the privacy issue, because if it becomes an issue of
>> technical complexity (as opposed to finding out what users want) and
>> there's a loophole (it's optional), then it will likely not be
>> implemented.
>> 
>> The risk of having no privacy story is a backlash that results in the
>> baby being thrown out with the bath water.
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>> 
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

More information about the specs mailing list