> -----Original Message----- > From: [email protected] [mailto:openid-specs- > [email protected]] On Behalf Of John Panzer > Sent: Monday, June 07, 2010 9:47 PM
> (Note that exactly the same issues arise when downloading extensions. JS is > just a way of delivering always-latest-version extensions to your browser.) Only in this case, the user is in full control over what extensions are being installed and updated in its browser. If Google, Yahoo, Microsoft, and the rest of the companies supporting the OpenID effort deployed the server-side half of this proposal, and spent a little money on developing plug-ins for all the major browsers (with Google and Microsoft able to also include it in the next release of their browser), it will create the tipping point in getting some form of identity selector in the browser. It was one thing for the OpenID community of 3 years ago to hack the protocol around the limitations of that time. These arguments are just insincere when they come from Google, now that you have a pretty successful browser (especially considering its age) and massively huge web footprint to promote such a feature. At the end, until you no longer use a script hosted in a single server, whoever is in control of this server can do whatever they like. Yes, if they do something bad it will be noticed, but that's like putting a bag full of cash on a street corner with a video camera next to it. Add to that the wealth of information the xauth.org site operator can gather without anyone's knowledge, this becomes a scary proposition. Your entire argument is that my concerns are "overblown", but not that the basic premise is incorrect. XAuth uses a single web server which is the most essential part of the proposal. The fact that the data itself isn't stored on that server (say, in a cookie sent to it) is an improvement over using cookies to store this data, but not by much. If this was something like the gravatar service - maybe. But you are asking for blind trust in something that is core to web security and privacy. EHL _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
