<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=text/html;charset=Windows-1252 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7100.4129"></HEAD>
<BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px"
id=MailContainerBody leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV><FONT face=Calibri>> </FONT><FONT face="Times New Roman">unless your mom
is uber technical and running her own OpenID</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>I never underestimate my mum's technical
knowledge since the day she helped me with Algebra, which she believed was
a place in central Africa.</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>Anyway, yes i think some kind of standard help text
would make things easier for non-technical folk. </FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>If at least the main OP's aren't hidden then that's a
good start. May try it out and see what happens if i find some
time.</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>steven</FONT></DIV>
<DIV><FONT face=Calibri><A
href="http://livz.org">http://livz.org</A></FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=chris.messina@gmail.com
href="mailto:chris.messina@gmail.com">Chris Messina</A> </DIV>
<DIV><B>Sent:</B> Tuesday, September 22, 2009 5:16 PM</DIV>
<DIV><B>To:</B> <A title=openid-user-experience@lists.openid.net
href="mailto:openid-user-experience@lists.openid.net">OpenID user experience</A>
</DIV>
<DIV><B>Subject:</B> Re: Popup flow</DIV></DIV></DIV>
<DIV><BR></DIV>That's a good question and warrants wider study.
<DIV><BR></DIV>
<DIV>I would think that the blocking behavior would be based on the window
opener code in JavaScript (and Flash), but if they have a more aggressive popup
blocker, then perhaps it's based on certain hosts.</DIV>
<DIV><BR></DIV>
<DIV>That said, unless your mom is uber technical and running her own OpenID —
it seems unlikely that the big OpenID providers would be blocked. Additionally,
if an OP doesn't support the popup flow, then the full window redirect is the
fallback... perhaps we just need to have a recommendation that offers text to
the effect of "If you don't see a popup window, click here".</DIV>
<DIV><BR></DIV>
<DIV>Chris<BR><BR>
<DIV class=gmail_quote>On Tue, Sep 22, 2009 at 1:16 AM, Steven Livingstone-Perez
<SPAN dir=ltr><<A
href="mailto:weblivz@hotmail.com">weblivz@hotmail.com</A>></SPAN> wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>A question. When a popup blocker stops a window popping up
does it do some based on the target domain or the host domain?<BR><BR>In other
words if the popup gets blocked every time an RP requests authentication to a
given OP then that could really be a usability issue. However if the user just
needs to accept this the once and the target domain (OP) popup is trusted then
that would be fine i'd think. In either case some usability studies would be
interesting.<BR><BR>It just pains me to think of my mum sitting wondering why
she can't log into MumsRUs because the popup isn't being displayed and me
having to tell her to enable it each time on the popup
blocker.<BR><BR>steven<BR><A href="http://livz.org"
target=_blank>http://livz.org</A><BR><BR>--------------------------------------------------<BR>From:
"Allen Tom" <<A href="mailto:atom@yahoo-inc.com"
target=_blank>atom@yahoo-inc.com</A>><BR>Sent: Tuesday, September 22, 2009
1:50 AM<BR>To: "OpenID user experience" <<A
href="mailto:openid-user-experience@lists.openid.net"
target=_blank>openid-user-experience@lists.openid.net</A>><BR>Subject: Re:
Popup flow
<DIV>
<DIV></DIV>
<DIV class=h5><BR><BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>Hi Darren,<BR><BR>I am not aware of any OAuth SPs which
condone having their Login/Approval pages framed by a 3rd party website.
If the site embeds the SP's Login screen, the user has no way of
telling if they're being phished.<BR><BR>The OpenID Popup Extension requires
the RP to open the popup window with the Address Bar clearly displayed, and
explictly forbids the OP's Login/Approval screen from being framed. Given
that the address bar is displayed, the security properties of the popup
window are identical to the browser redirect.<BR><BR>Allen<BR><BR>Darren
Bounds wrote:<BR>
<BLOCKQUOTE
style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex"
class=gmail_quote>I find it curious that these compromises have been
embraced by the<BR>OAuth community to support a greater UX but they are
not being<BR>embraced by OpenID. After all, isn't an iPhone UIWebView
control just<BR>a different type of iFrame? You're still trusting parent
application<BR>not to do something
malicious.<BR><BR></BLOCKQUOTE><BR>_______________________________________________<BR>user-experience
mailing list<BR><A href="mailto:user-experience@lists.openid.net"
target=_blank>user-experience@lists.openid.net</A><BR><A
href="http://lists.openid.net/mailman/listinfo/openid-user-experience"
target=_blank>http://lists.openid.net/mailman/listinfo/openid-user-experience</A><BR><BR></BLOCKQUOTE>_______________________________________________<BR>user-experience
mailing list<BR><A href="mailto:user-experience@lists.openid.net"
target=_blank>user-experience@lists.openid.net</A><BR><A
href="http://lists.openid.net/mailman/listinfo/openid-user-experience"
target=_blank>http://lists.openid.net/mailman/listinfo/openid-user-experience</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>Chris Messina<BR>Open Web Advocate<BR><BR>Personal: <A
href="http://factoryjoe.com">http://factoryjoe.com</A><BR>Follow me on Twitter:
<A
href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</A><BR><BR>Citizen
Agency: <A href="http://citizenagency.com">http://citizenagency.com</A><BR>Diso
Project: <A href="http://diso-project.org">http://diso-project.org</A><BR>OpenID
Foundation: <A href="http://openid.net">http://openid.net</A><BR><BR>This email
is: [ ] shareable [X] ask first [ ] private<BR></DIV>
<P>
<HR>
<P></P>_______________________________________________<BR>user-experience
mailing
list<BR>user-experience@lists.openid.net<BR>http://lists.openid.net/mailman/listinfo/openid-user-experience<BR></BODY></HTML>