I agree that browser support is ultimately the best way to address the issue.<br><br>At SW Foo we briefly discussed an idea to drive client adoption of this not through openid, per se, but rather by trying to standardize the flow by enhancing HTML5 itself. Browsers could implement this in the way they best see fit, which would create a competitive market for the underlying implementations (openid or otherwise).<br>
<br>Something as simple as:<br><code style="font-family: courier new,monospace;"><br> <form <b>type="login"</b> method="POST" action="<a href="http://example.com/login/">http://example.com/login/</a>"></code><code style="font-family: courier new,monospace;"><br>
<!-- regular HTML username and password form here --></code><code style="font-family: courier new,monospace;"><br> </form><br><br></code>Where the type="login" establishes a contract that allows the browser to replace the inner HTML with an implementation of choice that will POST a user's credentials, after the user allows it, to the action URL in a standardized format. A dumb browser would ignore the type and act as a normal login form. Whereas an OpenID-aware browser would rely on the user's preferred IDP to fetch profile data, and perhaps does so via native chrome, even skipping ungainly login steps at the IDP if desired. Other types of browsers might support other mechanisms like InfoCards, or protocols that haven't even been considered yet.<br>
<br>The important thing is to standardize both the hint to the browser that it is a login form (i.e., the invented type="login") and the format of the data that is ultimately POSTed to the server.<br><br>One could also extend HTTP 'WWW-Authenticate' response headers to indicate that a particular page accepts the above login flow, so that a smart client could negotiate the login behind the scenes without bothering the user on return visits.<br>
<br>Might be nuts, I don't know...<br><br>-DeWitt<br><br><div class="gmail_quote">On Fri, May 1, 2009 at 10:47 AM, Brendan O'Connor <span dir="ltr"><<a href="mailto:openid@ussjoin.com">openid@ussjoin.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">On Fri, May 1, 2009 at 1:35 PM, Johannes Ernst<br>
<jernst+<a href="http://openid.net" target="_blank">openid.net</a>@<a href="http://netmesh.us" target="_blank">netmesh.us</a>> wrote:<br>
<br>
> If we could get the browser developers to add anything we wanted to their<br>
> browsers, what *exactly* would we want them to implement?<br>
> This is not outlandish. The Mozilla folks asked repeatedly in the past (and<br>
> we never knew what to say in response) and the security of a billion OpenIDs<br>
> is not a set of user requirements that's easily dismissed either.<br>
> It appears that it would be some kind of user interface element (think<br>
> "popup" for a minute) that could display the OP's authentication ceremony.<br>
> But where the browser would somehow "certify" that it was not a phishing<br>
> attempt and came from one of the user's trusted OPs. In a way that is better<br>
> than having the user to do a string compare on the URL shown in the address<br>
> bar.<br>
> What would such a user interface element look like? That's not limited to<br>
> what we can do without cooperation from the browser guys.<br>
> In Firefox, it could be sitting in the side bar for example. (where the<br>
> bookmarks are) Or ...?<br>
<br>
</div>Why not Seatbelt? I mean, naturally, a reimplemented version, but it<br>
seems to solve the UI/UX issues pretty nicely. It just sits quietly<br>
down in my status bar, and only pops up if I try to log in somewhere--<br>
and it always displays my current logged in / logged out status. And<br>
it can be configured for any OP.<br>
<br>
<<a href="https://addons.mozilla.org/en-US/firefox/addon/5133" target="_blank">https://addons.mozilla.org/en-US/firefox/addon/5133</a>><br>
<font color="#888888"><br>
---Brendan O'Connor<br>
</font><div><div></div><div class="h5">_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
</div></div></blockquote></div><br>