matt.wronka.org

[09:37:33 AM] <dmcc> < http://www.idcorner.org/?p=161 >
[09:40:37 AM] <m> Point 1: "only sometimes" and "only when you're not paying attention"--which yes, is a problem.
[09:41:21 AM] <m> You can avoid the situation by making sure you're logged into the provider before you try logging into the other site, this is actually what LiveJournal (used to do?) and they would generate an error if you weren't already logged-in.
[09:41:59 AM] <dmcc> sounds like that should be part of the protocol
[09:42:18 AM] <m> user friendlyness would be sacrificed
[09:42:59 AM] <m> proper use of SSL certs and more obvious browser indications when something is wrong should work in "most" cases, if people notice the SSL certs and don't ignore the warnings
[09:43:45 AM] <m> after a few paragraphs on that, it's basically saying "a host the user trusts could be tray him"
[09:44:02 AM] <m> which, while a valid observation, shouldn't be considered an issue
[09:44:31 AM] <m> DNS robustness *is* a valid concern, however.
[09:45:00 AM] <m> But probably not as big of a problem as they want it to be.
[09:45:25 AM] <dmcc> i'm not sure if they *want* these things to be problems
[09:45:43 AM] <m> they being the people whom they are quoting
[09:45:47 AM] <dmcc> i'd be surprised if their goal wasn't improving security
[09:46:01 AM] <dmcc> they might not be especially constructive about it, though
[09:47:00 AM] <m> There are two issues with dns poisoning, hijacking the response--which won't get you the user's login credentials, but will get you access to an OpenID site/prevent others from accessing it.
[09:47:18 AM] <m> This is limited scope, but if the site is important enough, could be valuable.
[09:48:08 AM] <m> But at the same time, the DNS system at the higher levels is not as problematic as it once was, and you'd think these servers would have a more trusted chain of servers.
[09:48:42 AM] <m> The other problem, is simply redirecting users to a bad host. This is no more or less a problem than we already have.
[09:49:05 AM] <m> and is the bigger concern in any event
[09:53:48 AM] <m> The privacy concerns are all bollocks.
[09:54:14 AM] <m> "the site knows where you're logging in" is the only valid one
[09:54:24 AM] <m> (which they reword a couple times)
[09:55:32 AM] <m> choose a different provider if that's a concern for you, or be your own. Your ISP knows everywhere you go, log-in or not. It still beats what happens if you're using all of the Google services in my opinion.
[09:57:32 AM] <m> It confuses trust systems with Identity. Saying somebody is John doesn't say anything about who John is or if you should trust him. You just know he's John. It's not that OpenID isn't trustable, it's that OpenID doesn't say anything about the trustworthiness of the users.
[09:59:00 AM] <m> "people aren't used to it" and "some sites aren't designed with this in mind" makes up the usability section. I don't feel those deserve specific response.
[09:59:42 AM] <m> and of course, they then have a separate "adoption problems" section, which is what I thought the previous one was, just with a more generic name.
[10:00:39 AM] <m> There are ways to work around availability issues, but in general that's valid, although generally unlikely if you choose well.
[10:02:05 AM] <m> I was unaware that they patented OpenID, although they claim that they'll be stating that they won't assert the patent ... no story at the moment.
[10:02:20 AM] <m> 90% FUD
[10:03:01 AM] <m> well, 90% baseless FUD, 6% somewhat valid FUD
[10:03:12 AM] <m> 4% filler