Consolidated Delegate Proposal
Dick Hardt
dick at sxip.com
Mon Oct 9 21:19:25 UTC 2006
I have finally got up on this thread and don't see the value of the
openid.display parameter.
The RP does not know who the user is when the user is using OpenID to
login, since that is why the RP is using OpenID, to find out who the
user is.
Having the user type in another parameter just lets the user see the
same thing at the IdP. What's the point?
The user clearly knows they are at two different sites, and I think
it is more important to have a consistent experience at the IdP
across RPs then to have a consistent experience between the RP and
the IdP.
The IdP must know who the user is in order to create a positive
response back to the RP, so the IdP will already have some display
values to show the user.
... so what am I missing?
-- Dick
On 9-Oct-06, at 10:56 AM, Drummond Reed wrote:
> Josh, your message arrived while I was writing my reply to David's.
>
> I agree completely that openid.display is primarily useful for i-name
> synonyms.
>
> You go on to say, "For URIs, the display name *must* be the same as
> the RP
> user identifier, because there is no other value is verifiable by
> the IdP."
>
> I was proposing that openid.display be treated simply a string, so
> neither
> an RP nor an IdP would ever never resolve it, verify it, use it as
> key, etc.
>
> openid.display would default to openid.rpuserid if the RP didn't
> send an
> openid.display value. And if openid.rpuserid was a CanonicalID,
> then an RP
> SHOULD at least send the i-name as openid.display.
>
> However if the RP wanted to prompt a user for a short Display Name,
> even if
> the User's Claimed Identifier was a URL, the RP *could* send this
> Display
> Name to the IdP, and the IdP *could* display it so the user
> experience was
> consistent across the two sites.
>
> For example:
>
> At RP site the prompts are:
>
> OpenID Identifier:
> Your Preferred Display Name:
>
> The user enters:
>
> OpenID Identifier: example.idp.com/some/long/URL
> Your Preferred Display Name: DSR
>
> The RP sends to IdP:
>
> openid.identity = http://example.idp.com/some/long/URL
> openid.rpuserid = http://example.idp.com/some/long/URL
> openid.display = DSR
>
> The IdP displays:
>
> Hello DSR. Do you want to login to YourFriendlyRP?
> Password: [ ]
> [Accept Once] {Accept Always] [Cancel]
>
>
> =Drummond
>
> -----Original Message-----
> From: joshhoyt at gmail.com [mailto:joshhoyt at gmail.com] On Behalf Of
> Josh Hoyt
> Sent: Monday, October 09, 2006 10:28 AM
> To: Recordon, David
> Cc: Drummond Reed; specs at openid.net
> Subject: Re: Consolidated Delegate Proposal
>
> On 10/9/06, Recordon, David <drecordon at verisign.com> wrote:
>> In terms of openid.display, shouldn't the IdP greet the user in
>> whatever
>> manner it uses? Thus if the user has an account on the IdP, the IdP
>> should always greet the user in the same manner with it. Seems like
>> both a usability, phishing, and potential XSS issue if the IdP greets
>> the user with a string from the RP.
>>
>> Am I just missing something there?
>
> The display name is only useful for XRI synonyms. Basically, =foo and
> =bar could both be tied to the same i-number. Doing resolution on =foo
> and =bar will yield the same "canonical id," which means that they
> represent one logical entity. Drummond wants the display name to tell
> the IdP *which* synonym the user entered at the RP so that the IdP can
> present that same synonym in the UI, since the "canonical id" is both
> the IdP user identifier and the RP user identifier, but is not
> user-friendly (=!1234.1234.1234.1234)
>
> For URIs, the display name *must* be the same as the RP user
> identifier, because there is no other value is verifiable by the IdP.
>
> Does that explanation help?
>
> Josh
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>
More information about the specs
mailing list