proposal: RP display

[Dick Hardt]

Problem:

Identity of the RP is based on either the return_url or trust_root.  
While these strings have the advantage that they are somewhat  
verifiable as they are where the response will be sent, neither of  
these are user friendly. An organization name and/or a graphic can be  
more communicative. Additionally, when the user is wanting to review  
something that happened with an RP later on, the URL may be quite  
cryptic.

The question arises, how does the IdP verify that the string or  
graphic is really associated with the RP? Given that the user started  
off at the RP, and that somehow the user knows the RP is really the  
RP (a separate issue), then the user will be surprised by a graphic  
or string that is not related to the site the RP. In other words, if  
the user is being phished,  a cryptic URL is not going to provide the  
user with anything they have not already seen in the browser. An org  
name and/or graphic can be verified to belonging to the RP by a 3rd  
party, so the IdP can show the user if the displayed info has been  
verified or not.

CardSpace is supporting signed graphics and I think is looking at the  
CA cert to check org name, so OpenID would be able to use a similar  
mechanism.

Proposal:
	The additional of two optional parameters:
	= 'openid.logo_url - URL of either a signed or unsigned graphic  
(size TBD)
	= 'openid.org_name' - organization name of RP

Benefits:
	+ improved user experience
	+ mechanism for IdP to display verified data about RP to user

Drawbacks:
	- additional work required for IdP to support, although IdP could  
ignore