[OpenID] Graphical UIs
George Fletcher
gffletch at aol.com
Fri May 15 17:19:54 UTC 2009
Because in working with our products and services, just showing an icon
isn't enough. If the RP is going to have the flexibility to display
icons, text, etc... then I want more "trust" in who the RP is than just
a link to their icon that could really represent an entirely different
company/service.
So if phishing isn't a concern, I think this proposal is fine. As a OP,
I don't know that I want to blindly pull an image from the RP and
present it to the user. There are also other risks besides phishing,
such as showing inappropriate images.
Thanks,
George
Dirk Balfanz wrote:
> Hi guys,
>
> why are we talking about trust brokers, X.509, and OAuth?
>
> Breno's original post was asking about a mechanism for displaying
> favicons or something similar on the OP's approval page. The problem
> we're currently having is not that people get phished left and right
> with OpenID. The problem we're having is that RPs _still_ opt against
> OpenID because their users find it too hard to use. Putting branding
> information of the RP on the OP's approval page will hopefully help
> with this problem - it gives users some more context about what's
> going on.
>
> +1 on Breno's idea to use /host-meta for this. He also mentioned that
> multiple sizes could be supported. How about if a host-meta looked
> something like this:
>
> Link: <http://example.com/images/small-icon.gif>; rel="brand-image";
> type="image/gif"; size="16x16";
> Link: <https://example.com/images/small-icon.gif>; rel="brand-image";
> type="image/gif"; size="16x16";
> Link: <http://example.com/images/big-icon.png>; rel="brand-image";
> type="image/png"; size="48x48";
> Link: <https://example.com/images/big-icon.png>; rel="brand-image";
> type="image/png"; size="48x48";
>
> This way, the OP could look for the image that best suits its needs.
>
> Dirk.
>
> On Fri, May 15, 2009 at 9:04 AM, George Fletcher <gffletch at aol.com
> <mailto:gffletch at aol.com>> wrote:
>
> As an OP, I want to know that the entity requesting an
> authentication (and in the context of this thread UI
> customizations) is really the same entity for which the UI
> customizations are requested. If I just trust the realm (even if
> an SSL based realm), then I'm not guaranteed that the presenter
> and the specified realm are really the same. This is pretty
> important to me. Even trusting the SSL cert of the realm doesn't
> help unless I can show that the request came from that realm.
> Signing would provide that "assurance".
>
> Thanks,
> George
>
> Andrew Arnott wrote:
>
> Thanks for trying to explain it Nate. Actually what I was
> wondering is why OAuth must be part of the request at all.
> There's been talk on this thread of bringing OAuth into it so
> that a signed message from the RP can be sent to the OP.
> First of all, using OAuth just for its signing seems like a
> misuse. The OpenID+OAuth extension that you described doesn't
> sign the request at all. And finally, it escapes me why the
> request needs to be signed at all. If an attacker were to
> form a request to look like it came from a legitimate company,
> then the assertion would go to that legitimate company
> (assuming RP discovery and return_to matching was successful)
> and the attacker would have gained nothing.
> So why must OAuth be part of login just so that logos from the
> RP can show up at the OP?
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend
> to the death your right to say it." - S. G. Tallentyre
>
>
> On Thu, May 14, 2009 at 10:46 PM, Nate Klingenstein
> <ndk at internet2.edu <mailto:ndk at internet2.edu>
> <mailto:ndk at internet2.edu <mailto:ndk at internet2.edu>>> wrote:
>
> On rereading this, you might have meant that the OAuth
> registration of the RP with the OP would be completely
> automated
> and promiscuous. In that case, I'd totally agree with you.
> But
> it's a "woah -- dude" moment for me because it's so counter
> to our
> deployment paradigm.
>
> Hope there was no confusion,
> Nate.
>
>
> On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:
>
> Why would OAuth be necessary? If an RP registered
> with an OP
> and submitted their logos/text/etc, then any auth
> request coming
> in with the registered realm could display those
> pictures. There is a danger that hacker.com
> <http://hacker.com> <http://hacker.com> might
>
> register and upload the Wells Fargo logo, but OAuth
> won't
> prevent that.
>
>
> Previously negotiated consumer keys, e.g. whitelisting.
> It would
> prevent any transaction from occurring. Unless I'm
> horribly
> misreading something, step 7 is registration, stating:
>
> The Combined Consumer and the Combined Provider agree on a
> consumer key and consumer secret (see [OAuth]
>
> <http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth>).
>
>
>
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net <mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net <mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list