OpenID in desktop apps
Christopher St John
ckstjohn at gmail.com
Mon Feb 9 16:56:52 UTC 2009
On Mon, Feb 9, 2009 at 5:42 AM, Paul Walker <pwalker at myspace.com> wrote:
>
> Why should we not further the expectations of downloaded/installed apps when
> it comes to security no matter the platform?
>
But nobody has come up with a way to do that. I'm arguing
that it's currently impossible. (The suggestions so far provide
only the illusion of security because they can trivially be
spoofed by evil apps)
> I don't see a big
> detriment in the user workflow for even a mobile app that pops up the
> browser and, after auth, returns to the custom protocol of the app (i.e.
> facebook:///mygarden_is_now_authed), which communicates back to the app the
> output.
>
Well, "current thinking" seems to be that the delegated authc/authz
dance is a detriment, so saying it's not is controversial (and ref
evidence that even small impediments to usability can significantly
reduce user acceptance of security enhancements)
> If the platforms don't have mechanisms that help the users insure
> the Provider, let's make it so rather than "punting" on the issue.
>
By "make it so" I'm assuming you mean lobby the people in charge
of desktop and mobile devices to add new security mechanisms to
their operating systems? I might buy that, actually. But it doesn't
help in the short term.
If you mean "pretend that forcing use of a browser really adds some
sort of security even though we know it doesn't" then I'd disagree
strongly.
-cks
--
Christopher St. John
http://artofsystems.blogspot.com
More information about the user-experience
mailing list