Comments on: A Question For Passpack Users With OpenID

By: Passpack And OpenID: Under the Hood « Passpack Blog

Passpack And OpenID: Under the Hood « Passpack Blog — Mon, 01 Sep 2008 11:43:34 +0000

[...] And OpenID: Under the Hood Happy September everyone! Last week we threw around some ideas on which OpenID providers to accept and more importantly which not to [...]

By: Passpack’s Whitelist…It’s Unanimous « Passpack Blog

Passpack’s Whitelist…It’s Unanimous « Passpack Blog — Tue, 19 Aug 2008 11:38:58 +0000

[...] Whitelist…It’s Unanimous We previously mentioned our thoughts on Passpack and OpenID. The feedback was almost unanimous. You as users all seemed to [...]

By: Tara

Tara — Tue, 12 Aug 2008 08:23:36 +0000

@Kevin
Can you point me to the known bad providers? Are they all on PhishTank or are there other resources available? Thanks!

@Nicholas
Touché! I think Francesco is working on delegation support right now.

By: Nicholas Paldino

Nicholas Paldino — Mon, 11 Aug 2008 16:32:51 +0000

@Tara

I’m fine if they don’t adhere to the standard, but in that same spirit, you should adhere to the standard as well. Having some other page that the user is required to put on their site to allow delegation is not in the spirit of the standard.

By: Kevin Fox

Kevin Fox — Sun, 10 Aug 2008 00:35:17 +0000

In general I think creating a whitelist for OpenID providers is a bad thing. It sets a bad precedent and creates lots of problems for people who want to run their own provider, use delegation, or just are not using a provider on the whitelist.

There are known bad providers out there, and I would suggest using a blacklist and services like PhishTank.

With that said a list of providers that you can recommend to people who are interested in OpenID, or want to know which one they should use, would definitely be useful.

By: sullof

sullof — Sat, 09 Aug 2008 21:06:47 +0000

@Thor Marius K.H
I just tried the PhishTank’s API. We will support them. Thanks.

By: sullof

sullof — Sat, 09 Aug 2008 16:18:55 +0000

@Omar Shahine
Yes, we will support delegation.

By: Tara

Tara — Sat, 09 Aug 2008 15:55:34 +0000

Well, looks like the consensus is “definitely not A”. So given that, there’s all the other options and suggestions to look into.

Some combination of optional file / warning messages / “I know you don’t know me but stop bugging me setting” could work.

@Nicholas Paldino
We’ve been testing a bunch of providers, and indeed there are some which appear not to be adhering to the standard. We’ve not completed testing yet, and I would like to approach these providers, but if we’re not wrong in our testing (anything is possible right now) then there would be some providers not on the whitelist because they aren’t adhering to the standard.

@Thor Marius K.H
Excellent point.

@Nicholas Paldino & @GrrYumYum
RE: Our welcome message. Yup, we’re looking into better solutions. The current technique is hard for folks to understand.

Thanks everyone! Keep the suggestions coming – it’s incredibly helpful.

By: GrrYumYum

GrrYumYum — Sat, 09 Aug 2008 03:21:15 +0000

For me option B would be the most appropriate option, since A is way too restrictive.

As for the welcome message, it is completely useless for me since my IP address changes at regular intervals. An image, as previously suggested by Nicholas Paldino, would serve the purpose much better.

Yahoo!’s sign-in seal works quite nice by making use of Flash to store the image on the users computer, that way it doesn’t get lost if the user clears their browser cookies, and I’m sure only Yahoo! websites can read and display the stored image, preventing phishing attacks.

By: Thor Marius K.H

Thor Marius K.H — Fri, 08 Aug 2008 18:06:41 +0000

option D: Check every site against the PhishTank database using their API, if positive, deny, if negative, accept.