On Thu, May 22, 2025 at 12:58 PM Phillip Hallam-Baker <ph...@hallambaker.com> wrote:
> On Thu, May 22, 2025 at 1:58 PM Eric Rescorla <e...@rtfm.com> wrote: > > * Allowing the site to control the timing of the authentication >>>> (e.g., offering you connect unauthenticated and then upgrading). >>>> * Allowing the site to offer multiple authentication options. >>>> * Allowing the site to control the look and feel of the interaction. >>>> >>> >>> I don't want the site to be doing any of that. I want there to be a >>> single consistent authentication experience across everything. Without >>> consistency, users have no idea what they are doing and the scheme is >>> vulnerable to social engineering attacks. >>> >> >>>> What matters here is not what you want but rather what the site wants, >>>> and in my experience they want these properties. >>>> So, again, I ask: which major players in the current ecosystem are >>>> interested in this. >>>> >>> > I missed this the first time. Are you serious? > > 'What matters here is not what you want but rather what the site wants' > > So, we only listen to the businesses and corporations, not the Web users? > No. I think we should design technologies that benefit users, but we should spend our time designing technologies that will actually get deployed. And that means understanding whether there is demand for these technologies by the people in charge of deploying them. That doesn't of course mean that every feature of those technologies needs to be to the liking of those players, and often it will not be, but if there is no interest in the big picture, then I don't think standardization work is useful. I think you are dead wrong about what the sites want. I have heard many, > many sites say they want OpenID without having Facebook or Google in the > loop. They absolutely do not want an auth system that has their biggest > competitive threats seeing who visits them. > In that case there will be interest and this might be worth doing. -Ekr
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
