On Wed, 2006-10-04 at 19:40 +0100, Martin Atkins wrote: > it's been my experience that users are willing to trade an awful lot of > security to avoid software nagging at them repeatedly.
Which goes back to what Dick was saying about his myopenid.com login cookie not expiring. Users didn't like logging in after every time their browser restarted, so we made the cookie persistent. Does that make us a "BadCitizen-IdP"? I don't believe it does. Expiring cookies sooner seems beneficial for a particular group of users, those who are: 1) cautious enough to not leave their myopenid.com password in their browser's password cache, and 2) careless enough to leave their desktops unlocked when unattended. The combination of those two contrasting qualities seems likely to be a small subset of our user base. We hoped the remaining users who really wanted to not have old login cookies laying around would avail themselves of the "sign off" button. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs