Hi guys, <div><br></div><div>why are we talking about trust brokers, X.509, and OAuth? </div><div><br></div><div>Breno's original post was asking about a mechanism for displaying favicons or something similar on the OP's approval page. The problem we're currently having is not that people get phished left and right with OpenID. The problem we're having is that RPs _still_ opt against OpenID because their users find it too hard to use. Putting branding information of the RP on the OP's approval page will hopefully help with this problem - it gives users some more context about what's going on. </div>
<div><br></div><div>+1 on Breno's idea to use /host-meta for this. He also mentioned that multiple sizes could be supported. How about if a host-meta looked something like this:</div><div><br></div><div>Link: <<a href="http://example.com/images/small-icon.gif">http://example.com/images/small-icon.gif</a>>; rel="brand-image"; type="image/gif"; size="16x16"; </div>
<div><div>Link: <<a href="https://example.com/images/small-icon.gif">https://example.com/images/small-icon.gif</a>>; rel="brand-image"; type="image/gif"; size="16x16"; </div><div><div>Link: <<a href="http://example.com/images/big-icon.png">http://example.com/images/big-icon.png</a>>; rel="brand-image"; type="image/png"; size="48x48"; </div>
<div><div>Link: <<a href="https://example.com/images/big-icon.png">https://example.com/images/big-icon.png</a>>; rel="brand-image"; type="image/png"; size="48x48"; </div><div><br></div>
<div>This way, the OP could look for the image that best suits its needs.</div><div><br></div><div>Dirk.</div></div></div><br><div class="gmail_quote">On Fri, May 15, 2009 at 9:04 AM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">As an OP, I want to know that the entity requesting an authentication (and in the context of this thread UI customizations) is really the same entity for which the UI customizations are requested. If I just trust the realm (even if an SSL based realm), then I'm not guaranteed that the presenter and the specified realm are really the same. This is pretty important to me. Even trusting the SSL cert of the realm doesn't help unless I can show that the request came from that realm. Signing would provide that "assurance".<br>
<br>
Thanks,<br>
George<br>
<br>
Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Thanks for trying to explain it Nate. Actually what I was wondering is why OAuth must be part of the request at all. There's been talk on this thread of bringing OAuth into it so that a signed message from the RP can be sent to the OP. First of all, using OAuth just for its signing seems like a misuse. The OpenID+OAuth extension that you described doesn't sign the request at all. And finally, it escapes me why the request needs to be signed at all. If an attacker were to form a request to look like it came from a legitimate company, then the assertion would go to that legitimate company (assuming RP discovery and return_to matching was successful) and the attacker would have gained nothing. <br>
So why must OAuth be part of login just so that logos from the RP can show up at the OP?<br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br>
<br></div><div class="im">
On Thu, May 14, 2009 at 10:46 PM, Nate Klingenstein <<a href="mailto:ndk@internet2.edu" target="_blank">ndk@internet2.edu</a> <mailto:<a href="mailto:ndk@internet2.edu" target="_blank">ndk@internet2.edu</a>>> wrote:<br>
<br>
On rereading this, you might have meant that the OAuth<br>
registration of the RP with the OP would be completely automated<br>
and promiscuous. In that case, I'd totally agree with you. But<br>
it's a "woah -- dude" moment for me because it's so counter to our<br>
deployment paradigm.<br>
<br>
Hope there was no confusion,<br>
Nate.<br>
<br>
<br>
On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:<br>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
Why would OAuth be necessary? If an RP registered with an OP<br>
and submitted their logos/text/etc, then any auth request coming<br></div>
in with the registered realm could display those pictures. There is a danger that <a href="http://hacker.com" target="_blank">hacker.com</a> <<a href="http://hacker.com" target="_blank">http://hacker.com</a>> might<div class="im">
<br>
register and upload the Wells Fargo logo, but OAuth won't<br>
prevent that. <br>
</div></blockquote><div class="im">
<br>
Previously negotiated consumer keys, e.g. whitelisting. It would<br>
prevent any transaction from occurring. Unless I'm horribly<br>
misreading something, step 7 is registration, stating:<br>
<br>
The Combined Consumer and the Combined Provider agree on a<br>
consumer key and consumer secret (see [OAuth]<br></div>
<<a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth" target="_blank">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth</a>>).<div class="im">
<br>
<br>
<a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html" target="_blank">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a><br>
</div></blockquote>
<br>
<br>
------------------------------------------------------------------------<div class="im"><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br>
</div></blockquote><div><div></div><div class="h5">
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>