Non-browser Identity Verification
Martin Atkins
mart at degeneration.co.uk
Wed May 18 12:16:13 PDT 2005
Brad Fitzpatrick wrote:
>
> Okay, I think I hear you now. Not all client apps (consumers) will use an
> HTTP library that uses the "system's" cookies, which is unreliable anyway,
> since what browser is the system one? But you're still going to invoke
> their default browser anyway, right, to send them to their homesite to do
> their auth? Otherwise they're giving their password to the consumer app,
> which is scary.
>
I did lots of thinking about giving the username and password to the
app, but I concluded that it doesn't really matter that much. The user
can decide whether or not to trust the software, just like the user
trusts that his email client will not send his email password off to
some collector site, or that a LiveJournal desktop client won't do
similarly.
Paranoid people can just not use any software which demands their passwords.
More information about the yadis
mailing list