<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">On rereading this, you might have meant that the OAuth registration of the RP with the OP would be completely automated and promiscuous. In that case, I'd totally agree with you. But it's a "woah -- dude" moment for me because it's so counter to our deployment paradigm.<div><br></div><div>Hope there was no confusion,</div><div>Nate.<br><div><br><div><div>On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Why would OAuth be necessary? If an RP registered with an OP and submitted their logos/text/etc, then any auth request coming in with the registered realm could display those pictures. There is a danger that<span class="Apple-converted-space"> </span><a href="http://hacker.com">hacker.com</a><span class="Apple-converted-space"> </span>might register and upload the Wells Fargo logo, but OAuth won't prevent that. <span class="Apple-converted-space"> </span></span></blockquote><div><br></div><div>Previously negotiated consumer keys, e.g. whitelisting. It would prevent any transaction from occurring. Unless I'm horribly misreading something, step 7 is registration, stating:</div><div><br></div><div><span class="Apple-style-span" style="font-family: verdana; font-size: 13px; ">The Combined Consumer and the Combined Provider agree on a consumer key and consumer secret (see <a class="info" href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth" style="font-weight: bold; position: relative; z-index: 24; text-decoration: none; color: rgb(153, 0, 0); background-color: transparent; ">[OAuth]</a>).</span></div><div><br></div><div><a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a></div></span></blockquote></div><br></div></div></body></html>