<div class="gmail_quote">On Mon, Jun 7, 2010 at 2:13 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
OK. To be clear, I do not believe that XAuth breaks privacy. Therefore, I don't believe browsers need to 'fix' it.<br>
</blockquote>
<br></div>
Um . . . you admit (on the blog post) that the only reason this first version relies on a single (central) domain is because browsers do not currently support it. You also want XAuth to "bootstrap" the (future) browser-centric solution. Let's recap:<br>
<br>
1) The browsers, in their current incarnation, do NOT support XAuuth.<br>
2) You see a future where browsers add support for XAuth.<br>
3) You think that XAuth will encourage browsers to add support.<br>
<br>
If the status quo persists then THERE IS A PROBLEM (for XAuth).<br></blockquote><div><br></div><div>I don't see how that follows. My position is that the world would be better with browser XAuth support but it is not broken without it. You seem to think a non-browser-centric version is "broken", but you haven't explained why you think that.</div>
<div><br></div><div>Specifically, I haven't seen a privacy issue which is simply 'solved' by moving responsibility into the browser. I believe browsers are in the best position to do certain things (like not rely on a central DNS name, remove SPOFs, and help implement anti-phishing) but these don't specifically address 'privacy'. Is there a specific privacy attack / leak you're worried about that we could discuss?</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
You are proposing to present browser vendors with a broken model and say "Here, it doesn't work *exactly* as advertised yet, but if you add support for it, it will!": this is functionally equivalent to "We're going to be marketing this to users as if it weren't broken, so if you don't like that, it's YOUR job to fix it."<br>
</blockquote><div><br></div><div>No, I'm saying it works as advertised, and would work even better if they start to support it. If they don't their users will miss out on a better user experience. If they do then their users would be happier. The fact that IdPs and RPs already (in this scenario) rely on XAuth makes this a much easier sell than if we were going to them with a blue-sky idea. Does that make sense?</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
-Shade<br>
</blockquote></div><br>