On Mon, Jun 7, 2010 at 1:13 PM, SitG Admin <[email protected]>wrote:
> You're mis-characterizing the arguments here -- please read my blog post. >> > > Read it. Great! > Intent differs from effect. Breaking privacy to encourage browsers to fix > it for you is provocative, whether meant to be so or not. OK. To be clear, I do not believe that XAuth breaks privacy. Therefore, I don't believe browsers need to 'fix' it. I believe that browsers, if given a clear direction and an existing ecosystem that could be made better with browser support, will do the right thing. Without that clear direction and existing ecosystem, I don't believe they will do anything. I think it would be great to have a discussion about privacy and security aspects of XAuth. Which should start with a discussion about what attacks we're worried about preventing, and how XAuth affects them. As an example, there could be a security concern that knowing that I have an active session with Google may help phishers know which identity provider to simulate when I go to their site. Or, there may be a concern that XAuth will help sites broadcast the fact that I have a "session" with them to the world, and thus expose linkages I would prefer not to have exposed. Or there may be worries that XAuth would allow sites to 'spam' my list of available IdPs if they can get me to visit them. These are all certainly issues, but they require individual discussions, and it's not clear to me that moving functionality to the browser affects any of these issues in a fundamental way. > > > That's fine, I'm just warning people that there's a larger echo chamber >> effect beyond this one thread. >> > > Thanks. I was only aware of xAuth to the extent that it has been mentioned > on these (OpenID) lists. > > > I disagree that XAuth, as a protocol that people can agree to start using, >> is centralized. The initial _implementation_ relies on a central DNS name, >> but that is an accident of today's browser limitations. That's a huge >> difference from saying that it's inherently centralized. >> > > Agreed. I wasn't trying to say that it was *inherently* centralized, though > this was my understanding of Eran's point originally; in my follow-up, I > meant exactly what you said, that it starts this way (hence the "provoking > browser vendors to fix it" bit). > > -Shade >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
