proposal: RP display

Drummond Reed drummond.reed at
Wed Sep 20 16:59:45 UTC 2006

RP verification is as big and as important an issue as IdP verification.
This will not be easy no matter what we do.

Dick's right that if high-assurance SSL certs that CardSpace is planning to
use (see
get traction, OpenID IdPs should be able to take advantage of them. But
there is no standard yet, and none have been issued, so any solutions in the
OpenID 2.0 timeframe will need to use other methods.

That said, I'm all in favor of mechanisms that allow RPs to assert their
identity and IdPs to verify it on behalf of their users.


-----Original Message-----
From: specs-bounces at [mailto:specs-bounces at] On Behalf
Of Dick Hardt
Sent: Monday, September 18, 2006 8:12 PM
To: specs at
Subject: proposal: RP display 


Identity of the RP is based on either the return_url or trust_root.  
While these strings have the advantage that they are somewhat  
verifiable as they are where the response will be sent, neither of  
these are user friendly. An organization name and/or a graphic can be  
more communicative. Additionally, when the user is wanting to review  
something that happened with an RP later on, the URL may be quite  

The question arises, how does the IdP verify that the string or  
graphic is really associated with the RP? Given that the user started  
off at the RP, and that somehow the user knows the RP is really the  
RP (a separate issue), then the user will be surprised by a graphic  
or string that is not related to the site the RP. In other words, if  
the user is being phished,  a cryptic URL is not going to provide the  
user with anything they have not already seen in the browser. An org  
name and/or graphic can be verified to belonging to the RP by a 3rd  
party, so the IdP can show the user if the displayed info has been  
verified or not.

CardSpace is supporting signed graphics and I think is looking at the  
CA cert to check org name, so OpenID would be able to use a similar  

	The additional of two optional parameters:
	= 'openid.logo_url - URL of either a signed or unsigned graphic  
(size TBD)
	= 'openid.org_name' - organization name of RP

	+ improved user experience
	+ mechanism for IdP to display verified data about RP to user

	- additional work required for IdP to support, although IdP could  

specs mailing list
specs at

More information about the specs mailing list