proposal: RP display
drummond.reed at cordance.net
Wed Sep 20 16:59:45 UTC 2006
RP verification is as big and as important an issue as IdP verification.
This will not be easy no matter what we do.
Dick's right that if high-assurance SSL certs that CardSpace is planning to
use (see http://www.geotrusteurope.com/products/high-assurance-ssl/faq.asp)
get traction, OpenID IdPs should be able to take advantage of them. But
there is no standard yet, and none have been issued, so any solutions in the
OpenID 2.0 timeframe will need to use other methods.
That said, I'm all in favor of mechanisms that allow RPs to assert their
identity and IdPs to verify it on behalf of their users.
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Dick Hardt
Sent: Monday, September 18, 2006 8:12 PM
To: specs at openid.net
Subject: proposal: RP display
Identity of the RP is based on either the return_url or trust_root.
While these strings have the advantage that they are somewhat
verifiable as they are where the response will be sent, neither of
these are user friendly. An organization name and/or a graphic can be
more communicative. Additionally, when the user is wanting to review
something that happened with an RP later on, the URL may be quite
The question arises, how does the IdP verify that the string or
graphic is really associated with the RP? Given that the user started
off at the RP, and that somehow the user knows the RP is really the
RP (a separate issue), then the user will be surprised by a graphic
or string that is not related to the site the RP. In other words, if
the user is being phished, a cryptic URL is not going to provide the
user with anything they have not already seen in the browser. An org
name and/or graphic can be verified to belonging to the RP by a 3rd
party, so the IdP can show the user if the displayed info has been
verified or not.
CardSpace is supporting signed graphics and I think is looking at the
CA cert to check org name, so OpenID would be able to use a similar
The additional of two optional parameters:
= 'openid.logo_url - URL of either a signed or unsigned graphic
= 'openid.org_name' - organization name of RP
+ improved user experience
+ mechanism for IdP to display verified data about RP to user
- additional work required for IdP to support, although IdP could
specs mailing list
specs at openid.net
More information about the specs