On Mon, Jun 7, 2010 at 2:13 PM, SitG Admin <[email protected]>wrote:
> OK. To be clear, I do not believe that XAuth breaks privacy. Therefore, I >> don't believe browsers need to 'fix' it. >> > > Um . . . you admit (on the blog post) that the only reason this first > version relies on a single (central) domain is because browsers do not > currently support it. You also want XAuth to "bootstrap" the (future) > browser-centric solution. Let's recap: > > 1) The browsers, in their current incarnation, do NOT support XAuuth. > 2) You see a future where browsers add support for XAuth. > 3) You think that XAuth will encourage browsers to add support. > > If the status quo persists then THERE IS A PROBLEM (for XAuth). > I don't see how that follows. My position is that the world would be better with browser XAuth support but it is not broken without it. You seem to think a non-browser-centric version is "broken", but you haven't explained why you think that. Specifically, I haven't seen a privacy issue which is simply 'solved' by moving responsibility into the browser. I believe browsers are in the best position to do certain things (like not rely on a central DNS name, remove SPOFs, and help implement anti-phishing) but these don't specifically address 'privacy'. Is there a specific privacy attack / leak you're worried about that we could discuss? > > You are proposing to present browser vendors with a broken model and say > "Here, it doesn't work *exactly* as advertised yet, but if you add support > for it, it will!": this is functionally equivalent to "We're going to be > marketing this to users as if it weren't broken, so if you don't like that, > it's YOUR job to fix it." > No, I'm saying it works as advertised, and would work even better if they start to support it. If they don't their users will miss out on a better user experience. If they do then their users would be happier. The fact that IdPs and RPs already (in this scenario) rely on XAuth makes this a much easier sell than if we were going to them with a blue-sky idea. Does that make sense? > > -Shade >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
