Non-recoverable auth failure?

Carl Howells chowells at
Fri Jun 24 10:08:07 PDT 2005

Brad Fitzpatrick wrote:

> No.
> We're absolutely not encouraging the use of OpenID server UIs in
> consumer-initiated pop-up windows.  If anything screams "phish me please!"
> more, this is it.
> The consumers have two choices:  replace the existing window with the
> setup URL, or open the setup URL in a new (full) window.  Sure, they can
> try and put it in a pop-up, but I'll probably do something on LiveJournal
> to verify we're not in a pop-up and bitch (or pop-out) if so.
> Yes, phishing will still happen, but let's not encourage it.

Ok.  I'll admit, I wasn't thinking of that, and it's a valid concern. 
No encouraging popups of any sort.  :)

In that case, why not go with Paul's original suggestion?  It's as 
functional as and simpler than the current system.


More information about the yadis mailing list