<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=text/html;charset=Windows-1252 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7100.4129"></HEAD>
<BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px"
id=MailContainerBody leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV><FONT face=Calibri>Cool ok. I had started to think about that the moment i
sent it. Be interested in the discussions around the security issues if anyone
has a pointer (happy to get a link offline).</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>Browser API's to do this stuff are screaming out surely
but i know that's a big ask to get buy in from them.</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>steven</FONT></DIV>
<DIV><FONT face=Calibri><A
href="http://livz.org">http://livz.org</A></FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=chris.messina@gmail.com
href="mailto:chris.messina@gmail.com">Chris Messina</A> </DIV>
<DIV><B>Sent:</B> Monday, September 21, 2009 5:24 PM</DIV>
<DIV><B>To:</B> <A title=openid-user-experience@lists.openid.net
href="mailto:openid-user-experience@lists.openid.net">OpenID user experience</A>
</DIV>
<DIV><B>Subject:</B> Re: Popup flow</DIV></DIV></DIV>
<DIV><BR></DIV>2009/9/21 Steven Livingstone P้rez <SPAN dir=ltr><<A
href="mailto:weblivz@hotmail.com">weblivz@hotmail.com</A>></SPAN><BR>
<DIV class=gmail_quote>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV>I would have thought an IFrame injected into the page woudn't cause popup
issues.<BR></DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV>Injected iframes are a bad idea especially ones that ask you to enter
your credentials.</DIV>
<DIV><BR></DIV>
<DIV>Indeed, while the injected iframe approach has certainly usability benefits
(i.e. no new windows to lose track of) they present untenable security issues
that, ultimately, mean that they cannot be used.</DIV>
<DIV><BR></DIV>
<DIV>Facebook has been somewhat erratic in its enforcement of the popup flow
making exceptions for certain partners. The problem is not the good actors who
implement the technology correctly, though, it's that users don't develop an
expectation to look for the popup, which affords them certain security-enhancing
signals, like the URL bar, the presence of the HTTPS indicator and so on.</DIV>
<DIV><BR></DIV>
<DIV>Even if most people ignore these things, for those who *know* to inspect
them, the popup is an order of magnitude more security-preserving.</DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV><BR>Is the popups generally going to be new window instances? I'd be
surprised if the is the suggested way.<BR></DIV></BLOCKQUOTE>
<DIV><BR></DIV>
<DIV>I think we'll go through a transitional period. The big OpenID provider
would likely prefer the popup method which is less obtrusive than the full
window redirect, which can be confusing for some users.</DIV>
<DIV><BR></DIV>
<DIV>More usability research is needed here and that research needs to be
shared with the wider community so that we understand what the typical user
mental model is of signing in and whether they can comprehend why they're sent
back to their provider, rather than logged in directly.</DIV>
<DIV><BR></DIV>
<DIV>Chris</DIV>
<DIV> </DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>
<DIV><BR>steven<BR><A href="http://livz.org"
target=_blank>http://livz.org</A><BR><BR>
<HR>
Date: Sun, 20 Sep 2009 17:38:19 -0700<BR>Subject: Re: Popup flow<BR>From: <A
href="mailto:chris.messina@gmail.com"
target=_blank>chris.messina@gmail.com</A><BR>To: <A
href="mailto:openid-user-experience@lists.openid.net"
target=_blank>openid-user-experience@lists.openid.net</A>
<DIV>
<DIV></DIV>
<DIV class=h5><BR><BR><BR><BR>
<DIV>On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman <SPAN dir=ltr><<A
href="mailto:jonathan.coffman@gmail.com"
target=_blank>jonathan.coffman@gmail.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; PADDING-LEFT: 1ex"><BR>Are
there concerns over users with ad-blockers or pop-up blockers and being able
to reach the OpenID flow?</BLOCKQUOTE>
<DIV><BR></DIV>
<DIV>There are some, yes. This needs to be widely tested, but we're able to
get around (read: interact with correctly) because the pop-up is launched by
user action, rather than automatically.</DIV>
<DIV><BR></DIV>
<DIV>Facebook seems to use this method without a problem, so perhaps Luke has
some insights.</DIV>
<DIV><BR></DIV>
<DIV>Chris</DIV>
<DIV><BR></DIV>
<DIV> </DIV>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; PADDING-LEFT: 1ex">
<DIV>
<DIV><BR><BR>On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:<BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; PADDING-LEFT: 1ex">Jonathan Coffman
wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; PADDING-LEFT: 1ex"><BR>In seeing
Yahoo's announcement of their pop-up flow, and Google's previous
migration -- is this quickly becoming the defacto
standard?<BR></BLOCKQUOTE>Hi Jonathan,<BR><BR>Yahoo's usability testing
indicates that the new OpenID popup flow performs better than then old
redirect flow, and this is also consistent with Facebook's experience with
Connect.<BR><BR>The popup flow is currently an extension, meaning that
it's optional, and it's the RP's choice to invoke either the popup or
redirect. If you have the resources to experiment with both flows in a
production environment, definitely everyone would be very interested in
the results.<BR><BR>
<BLOCKQUOTE style="BORDER-LEFT: #ccc 1px solid; PADDING-LEFT: 1ex">Some
of my stakeholders are asking for a templated/co-branded experience so
that users, when redirected, see a logo, etc from the RP on the
sign-up/log-in page for our OP. Obviously, that's not too difficult to
do but I feel like the whole argument might be overcome with a
simplified OP design by utilizing the popup draft
spec.<BR><BR></BLOCKQUOTE>Section 6 in the Draft User Interface spec
defines a mechanism for the RP to pass its logos to the OP. Showing the
RP's logos to the user on the OP's approval/login screens definitely is
very helpful to users, and feedback from our testers in our usability labs
was overwhelmingly positive when we did this.<BR><BR>Speaking on behalf of
Yahoo, there are issues with displaying metadata about the RP that was not
manually reviewed for correctness by the OP. For instance, the RP could be
a malicious site that is pretending to be a trusted site, such as a bank.
The malicious RP could misrepresent itself by passing the bank logo to the
OP.<BR><BR>Other OPs that are planning to supporting the RP Icons portion
of the UI Extension may have other opinions about how important it is for
OPs to manually verify the RP's logos before displaying them to the
user.<BR><BR>An alternative approach for having the RP pass metadata about
itself to the OP (including icons, name, description) would be to use the
OpenID OAuth Hybrid Extension, and have all the RP metadata bound to the
RP's OAuth consumer_key. Most OAuth service providers usually have certain
business/legal criteria to issue an OAuth consumer_key, and in Yahoo's
case, business partners are allowed to have logos assocaited with their
consumer key, and all of these logos are manually reviewed before being
enabled.<BR><BR>Thanks<BR>Allen<BR><BR><BR><BR>_______________________________________________<BR>user-experience
mailing list<BR><A href="mailto:user-experience@lists.openid.net"
target=_blank>user-experience@lists.openid.net</A><BR><A
href="http://lists.openid.net/mailman/listinfo/openid-user-experience"
target=_blank>http://lists.openid.net/mailman/listinfo/openid-user-experience</A><BR></BLOCKQUOTE><BR>_______________________________________________<BR>user-experience
mailing list<BR><A href="mailto:user-experience@lists.openid.net"
target=_blank>user-experience@lists.openid.net</A><BR><A
href="http://lists.openid.net/mailman/listinfo/openid-user-experience"
target=_blank>http://lists.openid.net/mailman/listinfo/openid-user-experience</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Chris Messina<BR>Open Web Advocate<BR><BR>Personal: <A
href="http://factoryjoe.com" target=_blank>http://factoryjoe.com</A><BR>Follow
me on Twitter: <A href="http://twitter.com/chrismessina"
target=_blank>http://twitter.com/chrismessina</A><BR><BR>Citizen Agency: <A
href="http://citizenagency.com"
target=_blank>http://citizenagency.com</A><BR>Diso Project: <A
href="http://diso-project.org"
target=_blank>http://diso-project.org</A><BR>OpenID Foundation: <A
href="http://openid.net" target=_blank>http://openid.net</A><BR><BR>This email
is: [ ] bloggable [X] ask first [ ]
private<BR><BR></DIV></DIV>
<DIV class=hm>
<HR>
Hotmail: Powerful Free email with security by Microsoft. <A
href="http://clk.atdmt.com/GBL/go/171222986/direct/01/" target=_blank>Get it
now.</A></DIV></DIV><BR>_______________________________________________<BR>user-experience
mailing list<BR><A
href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</A><BR><A
href="http://lists.openid.net/mailman/listinfo/openid-user-experience"
target=_blank>http://lists.openid.net/mailman/listinfo/openid-user-experience</A><BR><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Chris Messina<BR>Open Web Advocate<BR><BR>Personal: <A
href="http://factoryjoe.com">http://factoryjoe.com</A><BR>Follow me on Twitter:
<A
href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</A><BR><BR>Citizen
Agency: <A href="http://citizenagency.com">http://citizenagency.com</A><BR>Diso
Project: <A href="http://diso-project.org">http://diso-project.org</A><BR>OpenID
Foundation: <A href="http://openid.net">http://openid.net</A><BR><BR>This email
is: [ ] shareable [X] ask first [ ] private<BR>
<P>
<HR>
<P></P>_______________________________________________<BR>user-experience
mailing
list<BR>user-experience@lists.openid.net<BR>http://lists.openid.net/mailman/listinfo/openid-user-experience<BR></BODY></HTML>