[OpenID] Graphical UIs

[Nate Klingenstein]

Andrew,

> Why would OAuth be necessary?  If an RP registered with an OP and  
> submitted their logos/text/etc, then any auth request coming in with  
> the registered realm could display those pictures.  There is a  
> danger that hacker.com might register and upload the Wells Fargo  
> logo, but OAuth won't prevent that.

Previously negotiated consumer keys, e.g. whitelisting.  It would  
prevent any transaction from occurring.  Unless I'm horribly  
misreading something, step 7 is registration, stating:

The Combined Consumer and the Combined Provider agree on a consumer  
key and consumer secret (see [OAuth]).

http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html

> To avoid registration at all, an OP could perform discovery on the  
> RP realm and find an XRDS with pointers to the resources that the RP  
> wants to display.  Again, you have the phishing logo problem here,  
> but as far as I can tell there's no good way to fix that without a  
> trust infrastructure.  Perhaps one of those extra-strong SSL certs  
> at the RP during discovery would provide the needed assurance of a  
> legitimate company?

I would really like the ability to signal more information about the  
OP/RP beyond just validation that they are the entity they think they  
are.  We need to know set or group membership, for example, as  
determined by asking the entity authoritative for that group.

While that could hypothetically be embedded as certificate extensions,  
we've found in practice that certificate vendors are not nimble or  
eager to incorporate extensions in the certificates they issue.

Thanks a lot,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090514/79544454/attachment.htm>