[OpenID] Graphical UIs
Nate Klingenstein
ndk at internet2.edu
Fri May 15 05:46:41 UTC 2009
On rereading this, you might have meant that the OAuth registration of
the RP with the OP would be completely automated and promiscuous. In
that case, I'd totally agree with you. But it's a "woah -- dude"
moment for me because it's so counter to our deployment paradigm.
Hope there was no confusion,
Nate.
On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:
>> Why would OAuth be necessary? If an RP registered with an OP and
>> submitted their logos/text/etc, then any auth request coming in
>> with the registered realm could display those pictures. There is a
>> danger that hacker.com might register and upload the Wells Fargo
>> logo, but OAuth won't prevent that.
>
> Previously negotiated consumer keys, e.g. whitelisting. It would
> prevent any transaction from occurring. Unless I'm horribly
> misreading something, step 7 is registration, stating:
>
> The Combined Consumer and the Combined Provider agree on a consumer
> key and consumer secret (see [OAuth]).
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090514/8a95315c/attachment.htm>
More information about the general
mailing list