Diva Canto wrote: > There is nothing wrong with the mechanism and its roots. In fact, when I > first read the spec I liked it a lot. But I hadn't used this until 2 > hours ago. > > There is, potentially, a huge hole in the resulting system because it > ignores how people interact with their computers. Did anyone make a > serious study about how the normal people react to being phished on > using OpenID? That sounds like a great project for one of my colleagues > here at UCI...
i agree with you re the concerns about normal users tend to not really check the security status of a page. most wouldn't even know how to do this properly: they probably check whether there is the little padlock icon in the header, but that's about it. very few know that that padlock icon is just an indicator and that one should check the certificate as well... and i've got to admit that it's been a long time since i checked the certificate of amazon.com, etc. and even if you do know how to check the certificate, what does it all mean? a better approach would be openID coupled with an out-of-band channel that, for example, utilizes your mobile phone (think OpenID + mTAN), but that would mean that each authentication would cost a bit. DrS/dirk -- dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab SL: dr scofield ---- drscofi...@xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev