> It's a good opportunity to look at what attack vectors this > has enabled in the real world before throwing the usability baby out > with the security bathwater. And for not throwing the usabilty baby out I gave a +1 to John ;-)
> > -- > John Panzer / Google > [email protected] / abstractioneer.org / @jpanzer > > > > > On Tue, Dec 15, 2009 at 9:12 AM, Breno de Medeiros <[email protected]> wrote: >>> >>> So could you please clarify whether you are saying you agree with John's >>> intended main point, that OPs could (should?) address this with a privacy >>> mechanism (in which case I'm curious whether you think the foundation and >>> spec >>> should require or encourage such mechanisms) *or* whether you think the >>> DOM/JS flaw means OpenID shouldn't worry about user privacy? >>> >> >> I think John's point is that the mechanism to protect privacy should >> be optionally available to OPs: There should be a rule to allow OPs to >> push this information without user consent. >> >> John anchored this point on the fact that the information is already >> available via DOM/JS tricks. I think that these DOM/JS tricks are not >> difficult to be fixed on the client side so I would prefer not to make >> arguments for how to move forward based on accidental circumstances. >> Regardless of the justification, one could argue that OPs should not >> be mandated to implement the privacy solution because they may know >> better what their consumers want. That is good as it goes, but we >> should still make sure that the design makes it easy for RPs to >> implement the privacy issue, because if it becomes an issue of >> technical complexity (as opposed to finding out what users want) and >> there's a loophole (it's optional), then it will likely not be >> implemented. >> >> The risk of having no privacy story is a backlash that results in the >> baby being thrown out with the bath water. >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs >> > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
