proposal: RP display

Drummond Reed drummond.reed at cordance.net
Wed Sep 20 16:59:45 UTC 2006 

RP verification is as big and as important an issue as IdP verification.
This will not be easy no matter what we do.

Dick's right that if high-assurance SSL certs that CardSpace is planning to
use (see http://www.geotrusteurope.com/products/high-assurance-ssl/faq.asp)
get traction, OpenID IdPs should be able to take advantage of them. But
there is no standard yet, and none have been issued, so any solutions in the
OpenID 2.0 timeframe will need to use other methods.

That said, I'm all in favor of mechanisms that allow RPs to assert their
identity and IdPs to verify it on behalf of their users.

=Drummond 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Dick Hardt
Sent: Monday, September 18, 2006 8:12 PM
To: specs at openid.net
Subject: proposal: RP display 

Problem:

Identity of the RP is based on either the return_url or trust_root.  
While these strings have the advantage that they are somewhat  
verifiable as they are where the response will be sent, neither of  
these are user friendly. An organization name and/or a graphic can be  
more communicative. Additionally, when the user is wanting to review  
something that happened with an RP later on, the URL may be quite  
cryptic.

The question arises, how does the IdP verify that the string or  
graphic is really associated with the RP? Given that the user started  
off at the RP, and that somehow the user knows the RP is really the  
RP (a separate issue), then the user will be surprised by a graphic  
or string that is not related to the site the RP. In other words, if  
the user is being phished,  a cryptic URL is not going to provide the  
user with anything they have not already seen in the browser. An org  
name and/or graphic can be verified to belonging to the RP by a 3rd  
party, so the IdP can show the user if the displayed info has been  
verified or not.

CardSpace is supporting signed graphics and I think is looking at the  
CA cert to check org name, so OpenID would be able to use a similar  
mechanism.

Proposal:
	The additional of two optional parameters:
	= 'openid.logo_url - URL of either a signed or unsigned graphic  
(size TBD)
	= 'openid.org_name' - organization name of RP

Benefits:
	+ improved user experience
	+ mechanism for IdP to display verified data about RP to user

Drawbacks:
	- additional work required for IdP to support, although IdP could  
ignore



_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs

More information about the specs mailing list