Non-browser Identity Verification

Martin Atkins mart at degeneration.co.uk
Wed May 18 12:16:13 PDT 2005


Brad Fitzpatrick wrote:
> 
> Okay, I think I hear you now.  Not all client apps (consumers) will use an
> HTTP library that uses the "system's" cookies, which is unreliable anyway,
> since what browser is the system one?  But you're still going to invoke
> their default browser anyway, right, to send them to their homesite to do
> their auth?  Otherwise they're giving their password to the consumer app,
> which is scary.
> 

I did lots of thinking about giving the username and password to the 
app, but I concluded that it doesn't really matter that much. The user 
can decide whether or not to trust the software, just like the user 
trusts that his email client will not send his email password off to 
some collector site, or that a LiveJournal desktop client won't do 
similarly.

Paranoid people can just not use any software which demands their passwords.


More information about the yadis mailing list