[OpenID] Graphical UIs

[Breno de Medeiros]

Taking the opportunity of the popup UI announcement, I would like to
open a conversation that is not necessarily OpenID specific, but which
is certainly directly related to our OpenID UI implementation. So this
forum is probably as good as any to take it up. I am talking about
branded graphics representing RPs in the OP authorization page. Or
even ye olde favicon.ico's.

We would like to be able to do that without managing whitelists.
Currently we have a few whitelisted RPs for which we show a page that
includes their favicon.ico via whitelisting, but that comes with high
overhead. Instead,I have in mind something simple and not really
OpenID specific. A site that wants its favicons to show up in 3rd
party sites to represent them can add a link to some well-known
location. I am thinking the /host-meta or /;well-known/host-meta
proposed URL, containing a single Link syntax such as:

Link: </favicon.ico>;
rel="http://example.com/use_this_image_to_represent_my_brand_in_approval_pages_for_authorization_requests_if_I_send_users_your_way"

The reason why this is useful is that simply because someone posts a
favicon.ico in their website, it does not mean that they have approved
it being used for other purposes beyond showing up on the URL bar of
user's browsers. So scraping RP's favicons without something like this
may not be feasible.

Of course, such a simple mechanism can support publishing other icon
sizes, for example.

I understand that there are many questions (phishing comes to mind)
that this proposal does not address, and that some (maybe most)
parties may want to enforce whitelists in all circumstances. On the
other hand, it could turn out to be useful and easy to implement.


-- 
--Breno (Google).