proposal: RP display

Brad Fitzpatrick brad at danga.com
Wed Sep 20 05:40:34 UTC 2006


Cool.  Well, let me know if you think of one.  But I just don't want to be
hypocrites, not using extensions when we're telling everybody else OpenID
is extensible...


On Tue, 19 Sep 2006, Dick Hardt wrote:

> Good point. I can't think of a good reason why it must be in core
> right now.
>
> On 19-Sep-06, at 7:23 PM, Brad Fitzpatrick wrote:
>
> > Any reason this can't be an optional extension rather than optional
> > in the
> > core?
> >
> >
> > On Tue, 19 Sep 2006, Dick Hardt wrote:
> >
> >>
> >> A trusted CA would have signed the PayPal logo. As mentioned,
> >> CardSpace is doing this, so OpenID would be able to follow what works
> >> (or does not)
> >>
> >> On 19-Sep-06, at 4:48 PM, Brad Fitzpatrick wrote:
> >>
> >>> Drawbacks:
> >>>    - false sense of security
> >>>
> >>> Can't badguy.com just crypto sign a PayPal logo hosted on
> >>> badguy.com?
> >>>
> >>>
> >>>
> >>> On Mon, 18 Sep 2006, Dick Hardt wrote:
> >>>
> >>>> Problem:
> >>>>
> >>>> Identity of the RP is based on either the return_url or trust_root.
> >>>> While these strings have the advantage that they are somewhat
> >>>> verifiable as they are where the response will be sent, neither of
> >>>> these are user friendly. An organization name and/or a graphic
> >>>> can be
> >>>> more communicative. Additionally, when the user is wanting to
> >>>> review
> >>>> something that happened with an RP later on, the URL may be quite
> >>>> cryptic.
> >>>>
> >>>> The question arises, how does the IdP verify that the string or
> >>>> graphic is really associated with the RP? Given that the user
> >>>> started
> >>>> off at the RP, and that somehow the user knows the RP is really the
> >>>> RP (a separate issue), then the user will be surprised by a graphic
> >>>> or string that is not related to the site the RP. In other
> >>>> words, if
> >>>> the user is being phished,  a cryptic URL is not going to
> >>>> provide the
> >>>> user with anything they have not already seen in the browser. An
> >>>> org
> >>>> name and/or graphic can be verified to belonging to the RP by a 3rd
> >>>> party, so the IdP can show the user if the displayed info has been
> >>>> verified or not.
> >>>>
> >>>> CardSpace is supporting signed graphics and I think is looking
> >>>> at the
> >>>> CA cert to check org name, so OpenID would be able to use a similar
> >>>> mechanism.
> >>>>
> >>>> Proposal:
> >>>> 	The additional of two optional parameters:
> >>>> 	= 'openid.logo_url - URL of either a signed or unsigned graphic
> >>>> (size TBD)
> >>>> 	= 'openid.org_name' - organization name of RP
> >>>>
> >>>> Benefits:
> >>>> 	+ improved user experience
> >>>> 	+ mechanism for IdP to display verified data about RP to user
> >>>>
> >>>> Drawbacks:
> >>>> 	- additional work required for IdP to support, although IdP could
> >>>> ignore
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> specs mailing list
> >>>> specs at openid.net
> >>>> http://openid.net/mailman/listinfo/specs
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
> >
>
>



More information about the specs mailing list