proposal: RP display
Dick Hardt
dick at sxip.com
Tue Sep 19 03:12:26 UTC 2006
Problem:
Identity of the RP is based on either the return_url or trust_root.
While these strings have the advantage that they are somewhat
verifiable as they are where the response will be sent, neither of
these are user friendly. An organization name and/or a graphic can be
more communicative. Additionally, when the user is wanting to review
something that happened with an RP later on, the URL may be quite
cryptic.
The question arises, how does the IdP verify that the string or
graphic is really associated with the RP? Given that the user started
off at the RP, and that somehow the user knows the RP is really the
RP (a separate issue), then the user will be surprised by a graphic
or string that is not related to the site the RP. In other words, if
the user is being phished, a cryptic URL is not going to provide the
user with anything they have not already seen in the browser. An org
name and/or graphic can be verified to belonging to the RP by a 3rd
party, so the IdP can show the user if the displayed info has been
verified or not.
CardSpace is supporting signed graphics and I think is looking at the
CA cert to check org name, so OpenID would be able to use a similar
mechanism.
Proposal:
The additional of two optional parameters:
= 'openid.logo_url - URL of either a signed or unsigned graphic
(size TBD)
= 'openid.org_name' - organization name of RP
Benefits:
+ improved user experience
+ mechanism for IdP to display verified data about RP to user
Drawbacks:
- additional work required for IdP to support, although IdP could
ignore
More information about the specs
mailing list