I wonder if the story for HTTPS/SSL is a good one for us to look at?<br><br>or did it just happen so early in browser life that it was easy?<br><br><div class="gmail_quote">2009/3/25 Johannes Ernst <span dir="ltr"><jernst+<a href="http://openid.net">openid.net</a>@<a href="http://netmesh.us">netmesh.us</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">This is really interesting.<br>
<br>
It seems to me that we are struggling with a problem that is in no way specific to OpenID. It sounds like we should try and get everybody in a room that has the same problem -- like Visa in this example -- regardless of whether they have ever heard of or like OpenID, and come up with:<br>
<br>
1. this is the best we can do with existing browsers, and we all educate the user the same way about the flow<br>
<br>
2. a wish list for the browser companies how to offer better browser support natively for this particular pattern. Some generic pattern markup (not OpenID-specific, but for the redirect pattern) might be advantageous.<div>
<div></div><div class="h5"><br>
<br>
<br>
<br>
<br>
On Mar 25, 2009, at 10:57, Martin Atkins wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Allen Tom wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Do you have more details about the verified by visa process? I'm not familiar with it.<br>
I actually bought something online this morning, and I noticed that the merchant's checkout confirmation page mentioned something about portions of the screen being rendered by my credit card issuer in an iframe, which I thought was a weird thing to tell to the end user.<br>
</blockquote>
<br>
I'm by no means an expert on 3D-Secure (which is the technology underlying Verified By Visa), but the flow seems very similar to OpenID:<br>
<br>
* Merchant does "discovery" on your credit card to find out who your provider is.<br>
<br>
* Merchant sends you to that provider where the provider authenticates you by some means -- in my case, I get asked to enter three letters out of a secret word and some other security questions, but I assume this varies from provider to provider -- and sends an assertion back to the merchant.<br>
<br>
* The merchant recieves the assertion and processes the transaction.<br>
<br>
The ever-reliable Wikipedia tells me that the Verified By Visa brand of the protocol recommends loading the provider's UI in an iframe in order to *stop* users seeing the address bar, because many savvy users mistook it for a phishing scam:<br>
<a href="http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/" target="_blank">http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/</a><br>
<br>
(one might argue that this would be less of an issue if the issuing banks served the data in their own domain rather than outsourcing it, but I digress.)<br>
<br>
The "criticism" section of the Wikipedia page on 3D-secure details a bunch of problems that OpenID implementors have also encountered.<br>
<br>
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net" target="_blank">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
</blockquote>
<br>
<br>
<br></div></div><font color="#888888">
Johannes Ernst<br>
NetMesh Inc.<br>
<br>
</font><br> <br> <a href="http://netmesh.info/jernst" target="_blank">http://netmesh.info/jernst</a><br>
<br>
<br>
<br>
<br>_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>Justin Kruger -- Sr. Software Engineer - MySpace MDP<br><a href="http://jDavid.net">http://jDavid.net</a><br><a href="mailto:jDavid.net@gmail.com">jDavid.net@gmail.com</a><br>
<br>Anton Freeman: Vincent! How are you doing this Vincent? How have you done any of this? We have to go back.<br>Vincent: It's too late for that. We're closer to the other side.<br>Anton Freeman: What other side? You wanna drown us both?<br>
Vincent: You wanna know how I did it? This is how I did it Anton. I never saved anything for the swim back. <br>