I think you may have me mistaken for somebody else on the list (DR is also
David Recordon). I'm a big fan of IdP-initiated login and privacy protection
However as much as I think that's an important use case, there's also many
use cases around using a public, omnidirectional identifier. So OpenID
should accommodate both.
From: Chris Drake [mailto:[EMAIL PROTECTED]
Sent: Monday, October 16, 2006 8:29 PM
To: Drummond Reed
Cc: 'Martin Atkins'; firstname.lastname@example.org
Subject: Re: Identifier portability: the fundamental issue
DR ... if there is any record at all of any association between these
DR two identities, ...
double-blind anonymous authentication solves this problem. The RP
knows nothing more about you besides:
A) you're authenticated, and/or
B) you've been here before (eg: have signed up for an account)
The IdP knows merely
C) That you wanted to log in somewhere
The RP does not know your ID or even your IdP, and your IdP does not
know what site you logged in to.
I have a working proof-of-concept that I demonstrated to a few people
some months back, let me know if you've not seen it, and I'll send
over the URL
In a nutshell - this relies on uniform nonce formats and asymmetric
cryptography (so the RP and IdP can talk between one another without
making any actual contact - the browser and/or user carry the
authentication payloads forth and back without referrer URLs or any
other info that can link the 2 sites (RP/IdP) together).
Besides all that - the normal use case for an IdP in OpenID world
(remember: decentralized) will be someone running some open-source
code on their own server, so trust in this instance *is* boolean: at
least in so far as if there's anything for someone to not be
trustworthy about themselves for - it won't be the fault of their IdP
code PROVIDING their IdP has provided them with IdP-initiated logins
in order to allow this user to protect their own privacy in the first
Court orders are what I termed 3.5. Authorized exploitation in my
threat list, and insider leaks I called 1.3.6. physical attack of
server resources (eg: server/hosting-facility compromise) - there's
another 98 other threats to keep in mind here as well:-
While your example might seem extreme, the consequences are also
extreme (or fatal, if you live someplace like China) - which is why I
take privacy so seriously. Stick Himalayas video into google news
if you want to watch what Chinese do to their own people when found
trying to visit the Dalai Lama. Now - how comfortable are you with
the idea of letting 1.5 billion Chinese people use OpenID without
making it easy to help them protect their own privacy ?
There's a big picture here, and it's not about meeting some arbitrary
deadline or saving a day or two of coding work - it's about producing
something that works, and can be deployed ethically.
Take a long hard look at that Nun lying dead in the snow, then tell me
you still believe there's no need for IdP-initiated privacy protection
Tuesday, October 17, 2006, 7:29:00 AM, you wrote:
DR +1. Trust is not a boolean. Martin, that's very quotable. Can I
DR it to you?
DR -Original Message-
DR From: [EMAIL PROTECTED]
DR [mailto:[EMAIL PROTECTED] On Behalf
DR Of Martin Atkins
DR Sent: Monday, October 16, 2006 12:25 PM
DR To: email@example.com
DR Subject: Re: Identifier portability: the fundamental issue
DR Chris Drake wrote:
There seem to be a lot of people on this list who want to hate and
loathe the IdP, and grant all power to the RP. I do not understand
this reasoning: our users will select the IdP they trust and like,
then they will be using a multitude of possibly hostile RPs
thereafter: the reverse is simply not true.
DR If I'm using one IdP to assert my primary public identity, they can
DR hypothetically develop quite a profile about me. I probably don't mind
DR too much in most cases, because I researched them and found that they
DR are a good provider and won't sell my data out to the bad guys.
DR However, there might be some things I want to do (for example, posting
DR locally-prohibited speech on a public forum) that I don't want attached
DR in any way, shape or form to my public identity. The trust relationship
DR I have with that IdP probably isn't enough for this; if there is any
DR record at all of any association between these two identities, as
DR friendly as my IdP may be, there is a chance that it will be ceased by
DR court order, or leaked by an insider, which might lead to me getting in
DR serious legal trouble.
DR This is just one (perhaps extreme) example of why my trust in my IdP is
DR not universal and all-encompassing. Trust is not a boolean.
DR specs mailing list