[OpenID] Tailoring headers to Consumers

[SitG Admin]

>PAPE is a partial alternative (different RPs can ask for different 
>auth strengths).
>Changing opened.identity at the OP (like when using an OP identity) 
>is another partial alternative.
>Those alternatives have different dependencies (on the RPs and OPs) 
>so are not always suitable. They certainly are not always the 
>easiest solution.

One thought is an optional "trusted sites list" HTML header in the 
claimed URI, but this is a *lot* more compromising of privacy than 
dynamically serving up pages to identified RP's; even though the RP's 
don't authenticate their represented From field, a hostile user 
masquerading as various RP's would have to have knowledge of the 
specific RP in question. Knowing about it (and attempting to log in) 
would enable the hostile user to capture the From field, then these 
could be put into a database and the entire set of queries run at 
speed, automated.

Though, I suppose RP's could add a random string (much like OP's do 
now as generation markers) per URI to stop this, but it seems like a 
lot of overhead on the RP's part, plus it would sort of kill the 
ability to identify that RP's From header in advance; maybe one would 
be issued as part of a registration request, but that could easily 
lead to wasting the RP's resources generating random numbers for 
frivolous registration requests - and requiring additional 
authentication (such as CAPTCHA's) before generating one would take 
away from the SSO promise.

-Shade