Sorry to say this. Even though you think the situation is "overblown", I think you have "really lost it", I think you have really gone "NUTS". I think your own suggestion in an earlier post that you would like to go australia, frankly, I thing, is a good idea and you should keep up with that promise.
On Tue, Jun 8, 2010 at 10:47 AM, Eran Hammer-Lahav <[email protected]>wrote: > > > > -----Original Message----- > > From: [email protected] [mailto:openid-specs- > > [email protected]] On Behalf Of John Panzer > > Sent: Monday, June 07, 2010 9:47 PM > > > (Note that exactly the same issues arise when downloading extensions. JS > is > > just a way of delivering always-latest-version extensions to your > browser.) > > Only in this case, the user is in full control over what extensions are > being installed and updated in its browser. > > If Google, Yahoo, Microsoft, and the rest of the companies supporting the > OpenID effort deployed the server-side half of this proposal, and spent a > little money on developing plug-ins for all the major browsers (with Google > and Microsoft able to also include it in the next release of their browser), > it will create the tipping point in getting some form of identity selector > in the browser. > > It was one thing for the OpenID community of 3 years ago to hack the > protocol around the limitations of that time. These arguments are just > insincere when they come from Google, now that you have a pretty successful > browser (especially considering its age) and massively huge web footprint to > promote such a feature. > > At the end, until you no longer use a script hosted in a single server, > whoever is in control of this server can do whatever they like. Yes, if they > do something bad it will be noticed, but that's like putting a bag full of > cash on a street corner with a video camera next to it. Add to that the > wealth of information the xauth.org site operator can gather without > anyone's knowledge, this becomes a scary proposition. > > Your entire argument is that my concerns are "overblown", but not that the > basic premise is incorrect. XAuth uses a single web server which is the most > essential part of the proposal. The fact that the data itself isn't stored > on that server (say, in a cookie sent to it) is an improvement over using > cookies to store this data, but not by much. > > If this was something like the gravatar service - maybe. But you are asking > for blind trust in something that is core to web security and privacy. > > EHL > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs > -- http://hi.im/santosh
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
