proposal: RP display

Granqvist, Hans hgranqvist at verisign.com
Thu Sep 21 16:50:29 UTC 2006


Hey guys, I though openid was all about how PKI s*cks!  ;)

Ok, so seriously, perhaps 

   'openid.certificate=[base64 encoded cert]' 

or even

   'openid.certpath'  for 0..n certs 

would be more useful since the parties involved can then
decide what to do with 'plain' certs that contain no such
extensions?


> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Dick Hardt
> Sent: Tuesday, September 19, 2006 5:21 PM
> To: Brad Fitzpatrick
> Cc: specs at openid.net
> Subject: Re: proposal: RP display 
> 
> 
> A trusted CA would have signed the PayPal logo. As mentioned, 
> CardSpace is doing this, so OpenID would be able to follow 
> what works (or does not)
> 
> On 19-Sep-06, at 4:48 PM, Brad Fitzpatrick wrote:
> 
> > Drawbacks:
> >    - false sense of security
> >
> > Can't badguy.com just crypto sign a PayPal logo hosted on 
> badguy.com?
> >
> >
> >
> > On Mon, 18 Sep 2006, Dick Hardt wrote:
> >
> >> Problem:
> >>
> >> Identity of the RP is based on either the return_url or trust_root.
> >> While these strings have the advantage that they are somewhat 
> >> verifiable as they are where the response will be sent, neither of 
> >> these are user friendly. An organization name and/or a 
> graphic can be 
> >> more communicative. Additionally, when the user is wanting 
> to review 
> >> something that happened with an RP later on, the URL may be quite 
> >> cryptic.
> >>
> >> The question arises, how does the IdP verify that the string or 
> >> graphic is really associated with the RP? Given that the 
> user started 
> >> off at the RP, and that somehow the user knows the RP is 
> really the 
> >> RP (a separate issue), then the user will be surprised by 
> a graphic 
> >> or string that is not related to the site the RP. In other 
> words, if 
> >> the user is being phished,  a cryptic URL is not going to 
> provide the 
> >> user with anything they have not already seen in the 
> browser. An org 
> >> name and/or graphic can be verified to belonging to the RP 
> by a 3rd 
> >> party, so the IdP can show the user if the displayed info has been 
> >> verified or not.
> >>
> >> CardSpace is supporting signed graphics and I think is 
> looking at the 
> >> CA cert to check org name, so OpenID would be able to use 
> a similar 
> >> mechanism.
> >>
> >> Proposal:
> >> 	The additional of two optional parameters:
> >> 	= 'openid.logo_url - URL of either a signed or unsigned graphic 
> >> (size TBD)
> >> 	= 'openid.org_name' - organization name of RP
> >>
> >> Benefits:
> >> 	+ improved user experience
> >> 	+ mechanism for IdP to display verified data about RP to user
> >>
> >> Drawbacks:
> >> 	- additional work required for IdP to support, although 
> IdP could 
> >> ignore
> >>
> >>
> >>
> >> _______________________________________________
> >> specs mailing list
> >> specs at openid.net
> >> http://openid.net/mailman/listinfo/specs
> >>
> >>
> >
> >
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
> 



More information about the specs mailing list