Troy Benjegerdes wrote:
If there is going to be a "mojo" in the browser then I think it ought to just take care of the authentication itself i.e. the site never gets an opportunity to be MITM because users appear to them to always be previously authenticated. I also think it _is_ a requirement that the browser vendors support this - right now you have to trust that the RP is a white hat.On Mon, Oct 16, 2006 at 12:31:48PM -0700, Scott Kveton wrote:Hey Rob,I'm trying to gather requirements for OpenID support. I think I have a reasonable understanding of the draft, but part of the appeal of OpenID is that it doesn't necessarily require browser vendors to do anything :)I've seen the proposed 2617-style HTTP authentication scheme on the wiki. What else could browser vendors do to make OpenID a smoother experience for users?As I posted on the Mozilla wiki: http://wiki.mozilla.org/Firefox/Feature_Brainstorming#Identity I'd love to see some anti-phishing mojo baked into the browser. If the user could set their trusted IdP (or multiple as the case may be) in the browser and then have the browser do something obvious when the users is presented with an "untrusted" page asking for their password that would be great IMHO.I think there needs to be more overlap between the people on the OpenID list and people on the IETF DIX list... Both of these groups of people seem to have similiar ideas, and different approaches. A real solution to this distributed identity problem is going to involve both groups.
-- Pete
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
