Johannes Ernst's Blog

Information Cards Have the NASCAR Problem, Too

Thu, 04 Jun 2009 14:20:00 PDT

Paul Trevithick notes that most users don't know what the purple information card logo might mean on a website and thus have no incentive to click on it to attempt to log in.

That observation is of course correct, and identical to the observation about the OpenID logo: most users don't know what that means either, and so won't try to use it.

Paul goes on to suggest that perhaps it would be more effective to show the logos of prominent information card issuers with which the user is more likely to be familiar with.

Which is exactly which led to the line of reasoning in the OpenID world to show, on a relying party site, the logos of prominent OpenID providers such as Google, Yahoo, Myspace and the like. Because the list of those is so long and grows all the time, this has been referred to as OpenID's NASCAR problem.

Paul's line of reasoning shows that the exact same problem applies to information cards for the exact same reason. The argument that is sometimes heard ("information cards don't have the NASCAR problem because of the client-side selector") is incorrect.

[The NASCAR problem could be alleviated if the client-side component was responsible for rendering the issuer logos on the browser canvas displaying the relying party site, and only showed those logos that corresponded to applicable cards in the user's card store. But as far as I know, no selector currently does that, and even if it did, it is not obvious that a site would let the selector "pollute" its page without knowing what exactly does show up on that page. Again, OpenID would have the same problem with client-side components such as Mozilla's.]

What about we drop the NASCAR argument in the OpenID vs. information cards discussion, and figure out how to solve the common issue instead? ;-)

[permanent link]

Off-Subject: Head, Neck and Back Pain

Thu, 14 May 2009 10:57:00 PDT

If you suffer from any of the above, or any pain at all, and haven't come across the writings of Dr. Jolie Bookspan, I recommend highly you take a look.

She just put something I wanted to get off my chest on her blog at Healthline.

For somebody with an engineering background like me, I understand and totally relate to her particular view on how to fix pain. As I wrote there, it's working better for me than anything else ever, and apparently I'm not the only one.

Her blog is very worthwhile to read, and her books should be required reading for all physical therapists, chiropractors, or anybody who has ever taken or prescribed a pain killer. Sadly, they are not. (They are also often very funny, in the "why didn't I think myself that that kind of conventional wisdom simply has to be wrong" kind of category.)

She also has one of the most impressive resumes that I've ever come across.

If you have any kind of pain, I virtually guarantee you will be glad to have spent a bit a time on this.

[permanent link]

Phriend Phishing in the Wild

Thu, 14 May 2009 10:10:00 PDT

[Additions in red in response to Bavo's comments.]

Should have guessed that Phriend Phishing was first going to happen to somebody famous.

Now, how could that have been prevented?

What if:

Twitter adopted OpenID as the only way of authenticating.
Twitter showed the authenticated OpenID identifier instead of a (possibly made up) user handle on all tweets.
Kanye West would have used his official website URL as his OpenID.
Ergo, everybody could follow the OpenID to determine whether any phriend phishing is going on or not if it is clear to the user that the chosen OpenID URL represented the official site of Kanye West.

I admit that scenario is not entirely viable yet. For example, users are not familiar and comfortable enough yet with OpenID that a major-volume site like Twitter could switch to OpenID-only. But it's close, and that's the kind of adoption barriers that we need to work on over the next 12-18 months in the OpenID community.

Bavo points that that by itself, the OpenID identifier is no more authoritative than any arbitrarily chosen user name on Twitter. I agree. However, by establishing the link between Kayne's website and the Twitter account via OpenID, it would be cryptographically proven that the website owner owns the particular Twitter account, which reduces the attack surface for Phriend Phishing by half. That is not too shabby and unobtainable by any other means that I'm aware of that works on the web. That was intended to be my point with this post. In case of famous people with fans, like here, the types of people who will follow their idol on Twitter are very very likely to know their authoritative website, so this would work very well.

For completeness: this scenario also requires trust that the relying party (here: Twitter) isn't hostile, has implemented OpenID correctly, and communicated clearly in their user interface that the OpenID has been verified. That would be a reasonable assumption in case of Twitter. Now we just need them to implement OpenID ;-)

[permanent link]

Mozilla Labs: OpenID In The Browser

Thu, 07 May 2009 08:45:00 PDT

Great demo from Mozilla Labs: OpenID support directly in the browser. Visit a site a second time, and it immediately logs you in, no button clicking required at all. Exactly how it should be!

Check out the video.

When can I have it in Firefox? Can't wait ...

[permanent link]

Ben Laurie: "Why Privacy Will Always Lose"

Mon, 04 May 2009 14:44:00 PDT

Deducted meticulously, and hard to disagree with, he finds:

The popularity of a social networking site will be in inverse proportion to the goodness of its privacy controls.

Time to be depressed, or time to get on with the show?

[permanent link]