<br><br>
<div class="gmail_quote">On Mon, Feb 16, 2009 at 12:11 PM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">><br>> Are you proposing to send images on unsigned requests from unknown<br>> sources and have the OP dynamically include it in images show to<br>> end-users?<br></div>Argh... yes, that is what I was suggesting but I forgot that OpenID RP<br>
requests are not signed. Not sure why they aren't signed if an<br>association has been made... but as that's not part of the spec it's not<br>a solution.<br><br>I still believe this is an important feature, and was hoping to avoid<br>
out-of-band provisioning as that makes this feature OP specific and RP's<br>may have to do different things to work with different OPs. But maybe<br>that's the only solution right now:(<br><br>Maybe the OpenID 2.1 WG could take on "signed RP authn requests" :)<br>
Could probably just leverage 2-legged OAuth with the consumer<br>token:secret representing the RP.<br><br>Thanks,<br>George<br><br></blockquote>
<div>Do you think a dynamic image is necessary for a popup that changes based on a given context ? Since it's a popup - it's sitting on top of the original window anyway.</div>
<div> </div>
<div>It would be great if we support exchanging a static (ssl) image url during association though - so it can be used similar to the way FBConnect presents the information flow between OP and RP.</div>
<div> </div>
<div> </div>
<div>- Praveen</div>
<div> </div></div>