|
|
Jun 04, 2009
[permanent link]
|
|
Paul Trevithick notes that
most users don't know what the purple information card logo might mean on a website
and thus have no incentive to click on it to attempt to log in.
That observation is of course correct, and identical to the observation about the
OpenID logo: most users don't know what that means
either, and so won't try to use it.
Paul goes on to suggest that perhaps it would be more effective to show the
logos of prominent information card issuers with which the user is more likely
to be familiar with.
Which is exactly which led to the line of reasoning in the OpenID world to
show, on a relying party site, the logos of prominent OpenID providers such as
Google, Yahoo, Myspace and the like. Because the list of those is so long and
grows all the time, this has been referred to as OpenID's
NASCAR
problem.
Paul's line of reasoning shows that the exact same problem applies to information
cards for the exact same reason. The argument that is sometimes heard ("information
cards don't have the NASCAR problem because of the client-side selector") is
incorrect.
[The NASCAR problem could be alleviated if the client-side component was responsible for
rendering the issuer logos on the browser canvas displaying the relying party site,
and only showed those logos that
corresponded to applicable cards in the user's card store. But as far as I know,
no selector currently does that, and even if it did, it is not obvious that
a site would let the selector "pollute" its page without knowing what
exactly does show up on that page. Again, OpenID would have the same problem
with client-side components such as
Mozilla's.]
What about we drop the NASCAR argument in the OpenID vs. information cards discussion,
and figure out how to solve the common issue instead? ;-)
|
|
[permanent link]
Add to [del.icio.us]
|
|
|
May 14, 2009
[permanent link]
|
|
If you suffer from any of the above, or any pain at all, and haven't come
across the writings of
Dr. Jolie Bookspan,
I recommend highly you take a look.
She just
put
something I wanted to get off my chest on her blog at Healthline.
For somebody with an engineering background like me, I understand and totally relate
to her particular view on how to fix pain. As I wrote there, it's working better for
me than anything else ever, and apparently I'm
not the only one.
Her blog is very worthwhile
to read, and her
books
should be required reading for all physical therapists, chiropractors, or anybody who
has ever taken or prescribed a pain killer. Sadly, they are not.
(They are also often very funny, in the "why didn't I think myself that that
kind of conventional wisdom simply has to be wrong" kind
of category.)
She also has one of the most impressive
resumes that I've ever come across.
If you have any kind of pain, I virtually guarantee you will be glad to have spent
a bit a time on this.
|
|
[permanent link]
Add to [del.icio.us]
|
|
|
May 14, 2009
[permanent link]
|
|
[Additions in red in response to
Bavo's comments.]
Should have guessed that
Phriend Phishing
was first going to happen to
somebody famous.
Now, how could that have been prevented?
What if:
- Twitter adopted OpenID as the only way of authenticating.
- Twitter showed the authenticated OpenID identifier instead of a (possibly made up) user
handle on all tweets.
- Kanye West would have used his official website URL as his OpenID.
- Ergo, everybody could follow the OpenID to determine whether any phriend phishing is
going on or not if it is clear to the user that the chosen OpenID
URL represented the official site of Kanye West.
I admit that scenario is not entirely viable yet. For example, users are not familiar and
comfortable enough yet with OpenID that a major-volume site like Twitter could switch to
OpenID-only. But it's close, and that's the kind
of adoption barriers that we need to work on over the next 12-18 months in the
OpenID community.
Bavo points that that by itself, the OpenID identifier is no
more authoritative than
any arbitrarily chosen user name on Twitter. I agree. However, by establishing the
link between Kayne's website and the Twitter account via OpenID, it would be cryptographically
proven that the website owner owns the particular Twitter account, which reduces the
attack surface for Phriend Phishing by half. That is not too shabby and unobtainable by any
other means that I'm aware of that works on the web. That was intended to be my
point with this post. In case of famous people with fans, like here, the types of people who
will follow their idol on Twitter are very very likely to know their authoritative
website, so this would work very well.
For completeness: this scenario also requires trust that
the relying party (here: Twitter) isn't hostile, has implemented OpenID correctly, and
communicated clearly in their user interface that the OpenID has been verified.
That would be a reasonable assumption in case of Twitter. Now we just need them
to implement OpenID ;-)
|
|
[permanent link]
Add to [del.icio.us]
|
|
|
May 07, 2009
[permanent link]
|
|
Great demo
from Mozilla Labs: OpenID support directly in the browser. Visit a site a second time,
and it immediately logs you in, no button clicking required at all.
Exactly how it should be!
Check out the video.
When can I have it in Firefox? Can't wait ...
|
|
[permanent link]
Add to [del.icio.us]
|
|
|
May 04, 2009
[permanent link]
|
|
Deducted meticulously, and hard to disagree with,
he finds:
The popularity of a social networking site will be in inverse proportion to the
goodness of its privacy controls.
Time to be depressed, or time to get on with the show?
|
|
[permanent link]
Add to [del.icio.us]
|
|
|
|
This work is licensed under a
Creative Commons License.
However, NetMesh, Situational, LID, Light-Weight Identity, and InfoGrid
are trademarks or registered trademarks of R-Objects Inc.,
doing business as NetMesh Inc. and no rights to trademarks are
granted. For the purposes of attribution, the author is "Johannes Ernst"
and attribution shall provide a (clickable, where possible) URL to this site.
|
|