> I hope I'm not over-reacting here But you are. There's nothing new about this issue, I mentioned it on my blog a while ago.
> Was calling it a "public" persona not the right choice of words? Is the > following documentation, linked prominently from the box you must check > to make a persona public, at all unclear or misleading? It's not about the wording or the documentation. Nobody actually reads it. I'm speaking out of experience with many users logging into phpbb-openid demo boards and being genuinely surprised to find out that their email addresses are publicly visible. You shouldn't assume every user is intimately familiar with concepts such as public personas. Here is just one recent illustration: http://test2.phpbb.cc/viewtopic.php?p=15#15 > Right now I'm not sure who this "wakeup call" caught sleeping, or more > importantly, how we could have prevented them from nodding off in the > first place. I guess I already answered the first bit. As for prevention, I believe the default persona shouldn't become public automatically, and the "public" checkbox should be accompanied by a clearly visible single-line warning. Regards, Dmitry =damnian _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
