proposal: RP display

Dick Hardt dick at
Wed Sep 20 00:20:48 UTC 2006

A trusted CA would have signed the PayPal logo. As mentioned,  
CardSpace is doing this, so OpenID would be able to follow what works  
(or does not)

On 19-Sep-06, at 4:48 PM, Brad Fitzpatrick wrote:

> Drawbacks:
>    - false sense of security
> Can't just crypto sign a PayPal logo hosted on
> On Mon, 18 Sep 2006, Dick Hardt wrote:
>> Problem:
>> Identity of the RP is based on either the return_url or trust_root.
>> While these strings have the advantage that they are somewhat
>> verifiable as they are where the response will be sent, neither of
>> these are user friendly. An organization name and/or a graphic can be
>> more communicative. Additionally, when the user is wanting to review
>> something that happened with an RP later on, the URL may be quite
>> cryptic.
>> The question arises, how does the IdP verify that the string or
>> graphic is really associated with the RP? Given that the user started
>> off at the RP, and that somehow the user knows the RP is really the
>> RP (a separate issue), then the user will be surprised by a graphic
>> or string that is not related to the site the RP. In other words, if
>> the user is being phished,  a cryptic URL is not going to provide the
>> user with anything they have not already seen in the browser. An org
>> name and/or graphic can be verified to belonging to the RP by a 3rd
>> party, so the IdP can show the user if the displayed info has been
>> verified or not.
>> CardSpace is supporting signed graphics and I think is looking at the
>> CA cert to check org name, so OpenID would be able to use a similar
>> mechanism.
>> Proposal:
>> 	The additional of two optional parameters:
>> 	= 'openid.logo_url - URL of either a signed or unsigned graphic
>> (size TBD)
>> 	= 'openid.org_name' - organization name of RP
>> Benefits:
>> 	+ improved user experience
>> 	+ mechanism for IdP to display verified data about RP to user
>> Drawbacks:
>> 	- additional work required for IdP to support, although IdP could
>> ignore
>> _______________________________________________
>> specs mailing list
>> specs at

More information about the specs mailing list