[OpenID] Graphical UIs

George Fletcher gffletch at aol.com
Fri May 15 01:24:18 UTC 2009 

Nate Klingenstein wrote:
> George,
>
>> In the case of OAuth, some level of out-of-band establishment is 
>> required anyway. If when requesting an OAuth Consumer token and 
>> secret, I can also present the resources to be displayed during 
>> authentication, then I have a mechanism of establishing the trust 
>> necessary to "safely" provide greater UI customizations.
>>
>> Note that this doesn't preclude RPs from using the OP at any time. 
>> It's just if there isn't any trust the user at the RP will see the 
>> standard OP UI rather than a customized one (because the OP doesn't 
>> have any "trust" with the RP).
>
> I think this is all consistent with what I wrote.  My concern is that 
> the requirement for bilateral trust establishment, which is one of 
> those N(N-1)/2 kinds of problems.  That's clearly unfeasible in our 
> deployment environments, though it may be a more reasonable multiplier 
> in yours.  This is where I continue to see a strong roll for other 
> trust establishment techniques.
>
> Also, the reliance on OAuth would mean that such a trust solution 
> would not be available to those using OpenID alone.
>
> I really think we need a more cohesive solution for OpenID trust 
> establishment.
> Nate.
>
No arguments there:) I was looking at this from the perspective of 
something that exists (more or less).

Any suggestions for how to build this in a way that OP's can trust the 
RP with no a priori agreements? Seems like it has to include something 
that "proves the RP" along with the "trust level" of the RP. Not sure 
how to do the first step without signing. If not signed AuthN requests, 
maybe leverage signed XRDs? and list the UI customizations in the XRD, 
or point to them from the XRD? Then leverage some 3rd party trust 
solution using the RP's canonical ID to determine trust level? Or a 
signed 3rd party attribute (where the 3rd party is the reputation/trust 
broker)?

Even in that case, I'd probably institute a black list to protect 
against RPs that game the trust system.

Thanks,
George

More information about the general mailing list