Sorry to say this. Even though you think the situation is "overblown", I think you have "really lost it", I think you have really gone "NUTS". I think your own suggestion in an earlier post that you would like to go australia, frankly, I thing, is a good idea and you should keep up with that promise.<br>
<br><div class="gmail_quote">On Tue, Jun 8, 2010 at 10:47 AM, Eran Hammer-Lahav <span dir="ltr"><<a href="mailto:eran@hueniverse.com">eran@hueniverse.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
<br>
> -----Original Message-----<br>
> From: <a href="mailto:openid-specs-bounces@lists.openid.net">openid-specs-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-">openid-specs-</a><br>
> <a href="mailto:bounces@lists.openid.net">bounces@lists.openid.net</a>] On Behalf Of John Panzer<br>
> Sent: Monday, June 07, 2010 9:47 PM<br>
<br>
> (Note that exactly the same issues arise when downloading extensions. JS is<br>
> just a way of delivering always-latest-version extensions to your browser.)<br>
<br>
</div>Only in this case, the user is in full control over what extensions are being installed and updated in its browser.<br>
<br>
If Google, Yahoo, Microsoft, and the rest of the companies supporting the OpenID effort deployed the server-side half of this proposal, and spent a little money on developing plug-ins for all the major browsers (with Google and Microsoft able to also include it in the next release of their browser), it will create the tipping point in getting some form of identity selector in the browser.<br>
<br>
It was one thing for the OpenID community of 3 years ago to hack the protocol around the limitations of that time. These arguments are just insincere when they come from Google, now that you have a pretty successful browser (especially considering its age) and massively huge web footprint to promote such a feature.<br>
<br>
At the end, until you no longer use a script hosted in a single server, whoever is in control of this server can do whatever they like. Yes, if they do something bad it will be noticed, but that's like putting a bag full of cash on a street corner with a video camera next to it. Add to that the wealth of information the <a href="http://xauth.org" target="_blank">xauth.org</a> site operator can gather without anyone's knowledge, this becomes a scary proposition.<br>
<br>
Your entire argument is that my concerns are "overblown", but not that the basic premise is incorrect. XAuth uses a single web server which is the most essential part of the proposal. The fact that the data itself isn't stored on that server (say, in a cookie sent to it) is an improvement over using cookies to store this data, but not by much.<br>
<br>
If this was something like the gravatar service - maybe. But you are asking for blind trust in something that is core to web security and privacy.<br>
<br>
EHL<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>