On Thu, Dec 17, 2009 at 08:19:01AM -0800, John Panzer wrote: > The question is how much of an actual additional phishing risk this > type of information leak is.
I think unexpected and unintended information leaks are always bad. Phishing is just one current (mis)use of leaked information, and I'm sure that in the future we'll see other (mis)uses that have not yet been imagined or articulated. > The browsers have accidentally conducted > an experiment for us. The result so far appears to indicate that this > information provides little additional benefit to phishers as they > haven't used it for known successful attacks. Additional data most > welcomed. As I think Breno said, we don't want to throw the usability out with the privacy bathwater, but it bothers me how your recent messages seem to downplay the importance of privacy protection. Maybe I'm just misreading again. Anyway, I'd prefer that we not have abstract arguments about the merits of privacy protection. Clearly some users value "privacy." Clearly the spec could provide mechanisms that empower users (and OPs) to provide privacy protections. Clearly too many MUST clauses and complex mechanisms will hamper development and acceptance by those who have to build and run systems. So let's talk about concrete proposals, eh? I made a proposal a couple days ago that nobody responded to -- perhaps the In-Reply-To header buried it too deep in the long-running thread, so I'll re-post. Perhaps we can devise something that seems to appease privacy concerns without overburdening implementors. -Peter _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
