[sldev] OpenID & SSL certificates

[Argent Stonecutter]

On 02-Oct-2007, at 18:44, Dzonatas wrote:
> The best anti-phishing mechanism still does not solve the bottom  
> line goal of anti-fraud. It is not just the login that matters, but  
> there is the need to verify identity.

And that's the user name and password. It doesn't matter how many  
hoops you jump through, it's still coming down to a user name and  
password. There is NO WAY that people are going to put up with having  
to know anything more than a username and password to log in to a  
game. So anything stronger has to be optional, and if it's optional  
it doesn't do anything to prove identity where it isn't used.

On the other hand, you can design the system so that phishing is  
hard, and you can design the system so that phishing is easy.

Any mechanism where logging into the web is a normal step in logging  
in to SL makes phishing easier.

And making phishing easier makes fraud easier.

This is like saying that improving web client security won't help  
reduce fraud. People don't say that so often since botnets started  
getting really big.