Re: [OpenID] OpenID and SSO

>Well, 'policy' and 'practice' are two different things.

True, so there's the "tendency" you spoke of - but it could still be 
more secure if it didn't rely on the user to put policy into 
practice. It's getting there that is the hard part - never 
underestimate the ability of a user to screw up any measures taken to 
protect them ;)

(This, if anything, is a justification for Trusted Computing's "the 
user may not have access to their own key".)

I took the "user actions" Eric Norman spoke of to be *types* of user 
action - such as checking a URL visually (to make sure it's their 
OP), typing in their Identity, and clicking a button (though I don't 
readily see how this would be a security measure). Another question 
is whether actions that Firefox takes on behalf of the user (such as 
filling in a field or notifying the user that this site's certificate 
doesn't match) can be treated as "user actions".

How about requiring the user to authenticate using multiple *literal* 
"domains"? Any one OP normally, but 2 or more in succession (that 
have previously been used) to make changes?

At the far extreme end of the spectrum, the login process is 
initiated for any site the user visits and completed automatically 
with all requested fields.

-Shade