[OpenID] Graphical UIs
Breno de Medeiros
breno at google.com
Thu May 14 22:52:08 UTC 2009
Currently, we display the favicon.ico next to a large, bold font
version of the realm name extracted from URL, and we think that the
advantage to phishers is fairly minor.
If we were to display larger size icons or alternative text
representations, we may have to be more cautious.
For an idea of what I am talking about, you can try and login to Plaxo
using a Google Account.
On Thu, May 14, 2009 at 2:49 PM, Paul Madsen <paulmadsen at rogers.com> wrote:
> Breno, are you whitelisting now only due to the desire to show RP graphics?
>
> Even with this proposal, won't you still have (or want) to maintain an RP
> whitelist (but not copies of their favicons)?
>
> thanks
>
> paul
>
> Breno de Medeiros wrote:
>>
>> Taking the opportunity of the popup UI announcement, I would like to
>> open a conversation that is not necessarily OpenID specific, but which
>> is certainly directly related to our OpenID UI implementation. So this
>> forum is probably as good as any to take it up. I am talking about
>> branded graphics representing RPs in the OP authorization page. Or
>> even ye olde favicon.ico's.
>>
>> We would like to be able to do that without managing whitelists.
>> Currently we have a few whitelisted RPs for which we show a page that
>> includes their favicon.ico via whitelisting, but that comes with high
>> overhead. Instead,I have in mind something simple and not really
>> OpenID specific. A site that wants its favicons to show up in 3rd
>> party sites to represent them can add a link to some well-known
>> location. I am thinking the /host-meta or /;well-known/host-meta
>> proposed URL, containing a single Link syntax such as:
>>
>> Link: </favicon.ico>;
>>
>> rel="http://example.com/use_this_image_to_represent_my_brand_in_approval_pages_for_authorization_requests_if_I_send_users_your_way"
>>
>> The reason why this is useful is that simply because someone posts a
>> favicon.ico in their website, it does not mean that they have approved
>> it being used for other purposes beyond showing up on the URL bar of
>> user's browsers. So scraping RP's favicons without something like this
>> may not be feasible.
>>
>> Of course, such a simple mechanism can support publishing other icon
>> sizes, for example.
>>
>> I understand that there are many questions (phishing comes to mind)
>> that this proposal does not address, and that some (maybe most)
>> parties may want to enforce whitelists in all circumstances. On the
>> other hand, it could turn out to be useful and easy to implement.
>>
>>
>>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list