proposal: RP display

Brad Fitzpatrick brad at danga.com
Tue Sep 19 23:48:28 UTC 2006


Drawbacks:
   - false sense of security

Can't badguy.com just crypto sign a PayPal logo hosted on badguy.com?



On Mon, 18 Sep 2006, Dick Hardt wrote:

> Problem:
>
> Identity of the RP is based on either the return_url or trust_root.
> While these strings have the advantage that they are somewhat
> verifiable as they are where the response will be sent, neither of
> these are user friendly. An organization name and/or a graphic can be
> more communicative. Additionally, when the user is wanting to review
> something that happened with an RP later on, the URL may be quite
> cryptic.
>
> The question arises, how does the IdP verify that the string or
> graphic is really associated with the RP? Given that the user started
> off at the RP, and that somehow the user knows the RP is really the
> RP (a separate issue), then the user will be surprised by a graphic
> or string that is not related to the site the RP. In other words, if
> the user is being phished,  a cryptic URL is not going to provide the
> user with anything they have not already seen in the browser. An org
> name and/or graphic can be verified to belonging to the RP by a 3rd
> party, so the IdP can show the user if the displayed info has been
> verified or not.
>
> CardSpace is supporting signed graphics and I think is looking at the
> CA cert to check org name, so OpenID would be able to use a similar
> mechanism.
>
> Proposal:
> 	The additional of two optional parameters:
> 	= 'openid.logo_url - URL of either a signed or unsigned graphic
> (size TBD)
> 	= 'openid.org_name' - organization name of RP
>
> Benefits:
> 	+ improved user experience
> 	+ mechanism for IdP to display verified data about RP to user
>
> Drawbacks:
> 	- additional work required for IdP to support, although IdP could
> ignore
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>



More information about the specs mailing list