<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Andrew,<div><br><div><div><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; ">Why would OAuth be necessary? If an RP registered with an OP and submitted their logos/text/etc, then any auth request coming in with the registered realm could display those pictures. There is a danger that<span class="Apple-converted-space"> </span><a href="http://hacker.com">hacker.com</a><span class="Apple-converted-space"> </span>might register and upload the Wells Fargo logo, but OAuth won't prevent that. <span class="Apple-converted-space"> </span></span></blockquote><div><br></div><div>Previously negotiated consumer keys, e.g. whitelisting. It would prevent any transaction from occurring. Unless I'm horribly misreading something, step 7 is registration, stating:</div><div><br></div><div><span class="Apple-style-span" style="font-family: verdana; font-size: 13px; ">The Combined Consumer and the Combined Provider agree on a consumer key and consumer secret (see <a class="info" href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth" style="font-weight: bold; position: relative; z-index: 24; text-decoration: none; color: rgb(153, 0, 0); background-color: transparent; ">[OAuth]</a>).</span></div><div><br></div><div><a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a></div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; ">To avoid registration at all, an OP could perform discovery on the RP realm and find an XRDS with pointers to the resources that the RP wants to display. Again, you have the phishing logo problem here, but as far as I can tell there's no good way to fix that without a trust infrastructure. Perhaps one of those extra-strong SSL certs at the RP during discovery would provide the needed assurance of a legitimate company?<br></span></blockquote></div><br></div><div>I would really like the ability to signal more information about the OP/RP beyond just validation that they are the entity they think they are. We need to know set or group membership, for example, as determined by asking the entity authoritative for that group.</div><div><br></div><div>While that could hypothetically be embedded as certificate extensions, we've found in practice that certificate vendors are not nimble or eager to incorporate extensions in the certificates they issue.</div><div><br></div><div>Thanks a lot,</div><div>Nate.</div></div></body></html>