[OpenID] Graphical UIs
Nate Klingenstein
ndk at internet2.edu
Thu May 14 21:11:12 UTC 2009
George,
> I wonder if we couldn't leverage off the existing OpenID + OAuth
> hybrid to create a mechanism to deliver a signed OpenID AuthN
> request. If the signature is valid, the customizations are
> displayed. If the signature doesn't match, then just display the
> "generic" UI. This way the user isn't kept from logging in, but the
> UI customizations are only displayed if the invoking service is
> verified.
You can rely on the establishment of a key out of band, and if you can
assume the hybrid protocol is being utilized, it would make sense to
reduce redundancy there. But you're still relying on bilateral pre-
registration and whitelisting, which are not really scalable. Any RP
to which the OP is naive can present any logo it wants, including that
of an organization it wants to impersonate.
Still think we need a trust and reputation fabric.
Take care,
Nate.
More information about the general
mailing list