[OpenID] Tailoring headers to Consumers

[SitG Admin]

Something that I've been contemplating for a bit, and generally 
having a disturbing lack of success finding problems with, is the 
idea of having my server only include some OpenID headers when myself 
or a pre-identified Relying Party (by IP and/or UserAgent) requests 
the page. Visitors could of course adjust their own UserAgent (to see 
my OpenID) with ease; that's not what I'm trying to affect, though. 
The *point* would be to control whether a non-hostile Consumer sees 
*any* OpenID headers at my site; if not, fraudulently representing 
themselves as me would be difficult, even if they *could* spoof my 
credentials. This could provide a layer of protection against 
Providers that turn out to be hostile or vulnerable to a hostile 
party's theft of their authentication records. There are also some 
possible benefits in being able to effectively use *multiple* 
Providers, simultaneously; for unimportant sites or leaving comments, 
a Provider with weak authentication, while for important sites, a 
Provider with biometrics and smart cards and fractally changing 
passwords.

Since I'm unlikely to know the library (this affects UserAgent) a 
Consumer is using when I first try to sign in there, I would have to 
try once while looking at my access logs to figure it out. This is an 
inconvenience, but one I'm okay with.

(I might be able to eliminate the need for SSH access to my server 
with a bit of code to publish *just the UserAgent headers* from the 
last few minutes' worth of requests - whether that page's URL is 
secret or not, there's not much in there to violate my users' 
privacy. Most sites I've tried logging into request the claimed 
Identity page with something common (but not used by casual visitors) 
like cURL, so if this continues to be the case it'd be a rare site 
that required me to wait until I could check my server's logs for an 
IP.)

-Shade (thinking of crossposting this to security@)