[OpenID] Identity Manager: A Browser-Based Solution to OpenID Phishing

James A. Donald jamesd at echeque.com
Tue Jan 23 08:46:30 UTC 2007

Marcin Jagodzin'ski wrote:
 > The idea seems good, but:
 > "Whenever a web page presents an OpenID sign in
 > option, the OpenID field and the Sign In button are
 > replaced by a single OpenID Sign In button. Moreover,
 > separate OpenID Sign In and CardSpace Sign In buttons
 > are replaced with a Secure Sign In button."
 > How browser can recognize that "web page presents an
 > OpenID sign in option"?

I would suggest that OpenID support by the User Agent is
triggered by a visible field that says OpenID_user_url,
and by a hidden field named "SupportedOpenID_versions"
containing a list of supported OpenID versions, and
another hidden field (to be filled in by the User Agent)
named "User Agent"

More information about the general mailing list