proposal: RP display

Dick Hardt dick at sxip.com
Wed Sep 20 05:29:56 UTC 2006


Good point. I can't think of a good reason why it must be in core  
right now.

On 19-Sep-06, at 7:23 PM, Brad Fitzpatrick wrote:

> Any reason this can't be an optional extension rather than optional  
> in the
> core?
>
>
> On Tue, 19 Sep 2006, Dick Hardt wrote:
>
>>
>> A trusted CA would have signed the PayPal logo. As mentioned,
>> CardSpace is doing this, so OpenID would be able to follow what works
>> (or does not)
>>
>> On 19-Sep-06, at 4:48 PM, Brad Fitzpatrick wrote:
>>
>>> Drawbacks:
>>>    - false sense of security
>>>
>>> Can't badguy.com just crypto sign a PayPal logo hosted on  
>>> badguy.com?
>>>
>>>
>>>
>>> On Mon, 18 Sep 2006, Dick Hardt wrote:
>>>
>>>> Problem:
>>>>
>>>> Identity of the RP is based on either the return_url or trust_root.
>>>> While these strings have the advantage that they are somewhat
>>>> verifiable as they are where the response will be sent, neither of
>>>> these are user friendly. An organization name and/or a graphic  
>>>> can be
>>>> more communicative. Additionally, when the user is wanting to  
>>>> review
>>>> something that happened with an RP later on, the URL may be quite
>>>> cryptic.
>>>>
>>>> The question arises, how does the IdP verify that the string or
>>>> graphic is really associated with the RP? Given that the user  
>>>> started
>>>> off at the RP, and that somehow the user knows the RP is really the
>>>> RP (a separate issue), then the user will be surprised by a graphic
>>>> or string that is not related to the site the RP. In other  
>>>> words, if
>>>> the user is being phished,  a cryptic URL is not going to  
>>>> provide the
>>>> user with anything they have not already seen in the browser. An  
>>>> org
>>>> name and/or graphic can be verified to belonging to the RP by a 3rd
>>>> party, so the IdP can show the user if the displayed info has been
>>>> verified or not.
>>>>
>>>> CardSpace is supporting signed graphics and I think is looking  
>>>> at the
>>>> CA cert to check org name, so OpenID would be able to use a similar
>>>> mechanism.
>>>>
>>>> Proposal:
>>>> 	The additional of two optional parameters:
>>>> 	= 'openid.logo_url - URL of either a signed or unsigned graphic
>>>> (size TBD)
>>>> 	= 'openid.org_name' - organization name of RP
>>>>
>>>> Benefits:
>>>> 	+ improved user experience
>>>> 	+ mechanism for IdP to display verified data about RP to user
>>>>
>>>> Drawbacks:
>>>> 	- additional work required for IdP to support, although IdP could
>>>> ignore
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> specs mailing list
>>>> specs at openid.net
>>>> http://openid.net/mailman/listinfo/specs
>>>>
>>>>
>>>
>>>
>>
>>
>
>




More information about the specs mailing list