proposal: RP display

Dick Hardt dick at sxip.com
Wed Sep 20 00:20:48 UTC 2006 

A trusted CA would have signed the PayPal logo. As mentioned,  
CardSpace is doing this, so OpenID would be able to follow what works  
(or does not)

On 19-Sep-06, at 4:48 PM, Brad Fitzpatrick wrote:

> Drawbacks:
>    - false sense of security
>
> Can't badguy.com just crypto sign a PayPal logo hosted on badguy.com?
>
>
>
> On Mon, 18 Sep 2006, Dick Hardt wrote:
>
>> Problem:
>>
>> Identity of the RP is based on either the return_url or trust_root.
>> While these strings have the advantage that they are somewhat
>> verifiable as they are where the response will be sent, neither of
>> these are user friendly. An organization name and/or a graphic can be
>> more communicative. Additionally, when the user is wanting to review
>> something that happened with an RP later on, the URL may be quite
>> cryptic.
>>
>> The question arises, how does the IdP verify that the string or
>> graphic is really associated with the RP? Given that the user started
>> off at the RP, and that somehow the user knows the RP is really the
>> RP (a separate issue), then the user will be surprised by a graphic
>> or string that is not related to the site the RP. In other words, if
>> the user is being phished,  a cryptic URL is not going to provide the
>> user with anything they have not already seen in the browser. An org
>> name and/or graphic can be verified to belonging to the RP by a 3rd
>> party, so the IdP can show the user if the displayed info has been
>> verified or not.
>>
>> CardSpace is supporting signed graphics and I think is looking at the
>> CA cert to check org name, so OpenID would be able to use a similar
>> mechanism.
>>
>> Proposal:
>> 	The additional of two optional parameters:
>> 	= 'openid.logo_url - URL of either a signed or unsigned graphic
>> (size TBD)
>> 	= 'openid.org_name' - organization name of RP
>>
>> Benefits:
>> 	+ improved user experience
>> 	+ mechanism for IdP to display verified data about RP to user
>>
>> Drawbacks:
>> 	- additional work required for IdP to support, although IdP could
>> ignore
>>
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>>
>>
>
>

More information about the specs mailing list