[OpenID] Graphical UIs

[Nate Klingenstein]

George,

> If not signed AuthN requests, maybe leverage signed XRDs? and list  
> the UI customizations in the XRD, or point to them from the XRD?  
> Then leverage some 3rd party trust solution using the RP's canonical  
> ID to determine trust level? Or a signed 3rd party attribute (where  
> the 3rd party is the reputation/trust broker)?

Roughly this, yeah.  I want to have pointers in the discovery system  
to trust brokers who are capable of tagging an entity in some form.   
Rather than dealing with distributed signatures -- particularly XML  
signatures -- just use callbacks to the third party based on the  
entityID/OP identifier, or even the individual's identifier if that  
fits some use cases.  That may be "Validated by GeoSignRoot," "35  
trust points", or "Member of InCommon."

Someone could also run a spammer/fraudster blacklist this way that was  
always checked, though I don't know if that's scalable either, given  
the ease of bringing up new providers.

It's up to the OP/RP to be able to query the trust broker and  
interpret the results if it cares.  Otherwise, it can do as it  
pleases, applying its own white/blacklists if it wants.

I sent out a message with this same hypothesis about a year ago, but  
heard no response.  I've been waiting for ORMS work in OASIS to spin  
up, but that's moving at a leisurely pace, it seems.

Would love to see something more expedient done and be a part of  
making it happen if there's interest.  I think this is a critical  
general solution to the problem.

Take care,
Nate.