On 10/9/06, Recordon, David <[EMAIL PROTECTED]> wrote: > In terms of openid.display, shouldn't the IdP greet the user in whatever > manner it uses? Thus if the user has an account on the IdP, the IdP > should always greet the user in the same manner with it. Seems like > both a usability, phishing, and potential XSS issue if the IdP greets > the user with a string from the RP. > > Am I just missing something there?
The display name is only useful for XRI synonyms. Basically, =foo and =bar could both be tied to the same i-number. Doing resolution on =foo and =bar will yield the same "canonical id," which means that they represent one logical entity. Drummond wants the display name to tell the IdP *which* synonym the user entered at the RP so that the IdP can present that same synonym in the UI, since the "canonical id" is both the IdP user identifier and the RP user identifier, but is not user-friendly (=!1234.1234.1234.1234) For URIs, the display name *must* be the same as the RP user identifier, because there is no other value is verifiable by the IdP. Does that explanation help? Josh _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs