[OpenID] Graphical UIs

[George Fletcher]

Nate Klingenstein wrote:
> George,
>
>> I wonder if we couldn't leverage off the existing OpenID + OAuth 
>> hybrid to create a mechanism to deliver a signed OpenID AuthN 
>> request. If the signature is valid, the customizations are displayed. 
>> If the signature doesn't match, then just display the "generic" UI. 
>> This way the user isn't kept from logging in, but the UI 
>> customizations are only displayed if the invoking service is verified.
>
> You can rely on the establishment of a key out of band, and if you can 
> assume the hybrid protocol is being utilized, it would make sense to 
> reduce redundancy there.  But you're still relying on bilateral 
> pre-registration and whitelisting, which are not really scalable.  Any 
> RP to which the OP is naive can present any logo it wants, including 
> that of an organization it wants to impersonate.
>
> Still think we need a trust and reputation fabric.
Actually, what I've been thinking about doesn't rely on resources 
provided during the OpenID UI flow. Instead they are tied to the 
"identity" of the RP (potentially verified by a signed AuthN request). 
In our experience the RP wants more flexibility than just showing their 
favicon.  Instead they desire to show larger icons, text etc. In that 
light, I agree that "trust" is required.

In the case of OAuth, some level of out-of-band establishment is 
required anyway. If when requesting an OAuth Consumer token and secret, 
I can also present the resources to be displayed during authentication, 
then I have a mechanism of establishing the trust necessary to "safely" 
provide greater UI customizations.

Note that this doesn't preclude RPs from using the OP at any time. It's 
just if there isn't any trust the user at the RP will see the standard 
OP UI rather than a customized one (because the OP doesn't have any 
"trust" with the RP).

Thanks,
George