My point was that (a) Users, and thus the OPs they delegate their trust to, should be in control of this info; though (b) we have a long-standing hole in browsers that gives ~equivalent information to phishers, and this is not one I've heard of them using (perhaps you have). It's a good opportunity to look at what attack vectors this has enabled in the real world before throwing the usability baby out with the security bathwater.
-- John Panzer / Google [email protected] / abstractioneer.org / @jpanzer On Tue, Dec 15, 2009 at 9:12 AM, Breno de Medeiros <[email protected]> wrote: >> >> So could you please clarify whether you are saying you agree with John's >> intended main point, that OPs could (should?) address this with a privacy >> mechanism (in which case I'm curious whether you think the foundation and >> spec >> should require or encourage such mechanisms) *or* whether you think the >> DOM/JS flaw means OpenID shouldn't worry about user privacy? >> > > I think John's point is that the mechanism to protect privacy should > be optionally available to OPs: There should be a rule to allow OPs to > push this information without user consent. > > John anchored this point on the fact that the information is already > available via DOM/JS tricks. I think that these DOM/JS tricks are not > difficult to be fixed on the client side so I would prefer not to make > arguments for how to move forward based on accidental circumstances. > Regardless of the justification, one could argue that OPs should not > be mandated to implement the privacy solution because they may know > better what their consumers want. That is good as it goes, but we > should still make sure that the design makes it easy for RPs to > implement the privacy issue, because if it becomes an issue of > technical complexity (as opposed to finding out what users want) and > there's a loophole (it's optional), then it will likely not be > implemented. > > The risk of having no privacy story is a backlash that results in the > baby being thrown out with the bath water. > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
