Hi Drummond, DR> ... if there is any record at all of any association between these DR> two identities, ...
double-blind anonymous authentication solves this problem. The RP knows nothing more about you besides: A) you're authenticated, and/or B) you've been here before (eg: have signed up for an account) The IdP knows merely C) That you wanted to log in somewhere The RP does not know your ID or even your IdP, and your IdP does not know what site you logged in to. I have a working proof-of-concept that I demonstrated to a few people some months back, let me know if you've not seen it, and I'll send over the URL In a nutshell - this relies on uniform "nonce" formats and asymmetric cryptography (so the RP and IdP can "talk" between one another without making any actual contact - the browser and/or user "carry" the authentication payloads forth and back without referrer URLs or any other info that can link the 2 sites (RP/IdP) together). Besides all that - the normal "use case" for an IdP in OpenID world (remember: decentralized) will be someone running some open-source code on their own server, so trust in this instance *is* boolean: at least in so far as if there's anything for someone to not be trustworthy about themselves for - it won't be the fault of their IdP code PROVIDING their IdP has provided them with IdP-initiated logins in order to allow this user to protect their own privacy in the first place. Court orders are what I termed "3.5. Authorized exploitation" in my threat list, and "insider leaks" I called "1.3.6. physical attack of server resources (eg: server/hosting-facility compromise)" - there's another 98 other threats to keep in mind here as well:- http://chrisdrake.com/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data.html While your example might seem extreme, the consequences are also extreme (or fatal, if you live someplace like China) - which is why I take privacy so seriously. Stick "Himalayas video" into google news if you want to watch what Chinese do to their own people when found trying to visit the Dalai Lama. Now - how comfortable are you with the idea of letting 1.5 billion Chinese people use OpenID without making it easy to help them protect their own privacy ? There's a big picture here, and it's not about meeting some arbitrary deadline or saving a day or two of coding work - it's about producing something that works, and can be deployed ethically. Take a long hard look at that Nun lying dead in the snow, then tell me you still believe there's no need for IdP-initiated privacy protection in OpenID. Kind Regards, Chris Drake, =1id.com Tuesday, October 17, 2006, 7:29:00 AM, you wrote: DR> +1. "Trust is not a boolean." Martin, that's very quotable. Can I attribute DR> it to you? DR> =Drummond DR> -----Original Message----- DR> From: [EMAIL PROTECTED] DR> [mailto:[EMAIL PROTECTED] On Behalf DR> Of Martin Atkins DR> Sent: Monday, October 16, 2006 12:25 PM DR> To: [email protected] DR> Subject: Re: Identifier portability: the fundamental issue DR> Chris Drake wrote: >> >> There seem to be a lot of people on this list who want to hate and >> loathe the IdP, and grant all power to the RP. I do not understand >> this reasoning: our users will select the IdP they trust and like, >> then they will be using a multitude of possibly hostile RPs >> thereafter: the reverse is simply not true. >> DR> If I'm using one IdP to assert my primary public identity, they can DR> hypothetically develop quite a profile about me. I probably don't mind DR> too much in most cases, because I researched them and found that they DR> are a good provider and won't sell my data out to the bad guys. DR> However, there might be some things I want to do (for example, posting DR> locally-prohibited speech on a public forum) that I don't want attached DR> in any way, shape or form to my public identity. The trust relationship DR> I have with that IdP probably isn't enough for this; if there is any DR> record at all of any association between these two identities, as DR> friendly as my IdP may be, there is a chance that it will be ceased by DR> court order, or leaked by an insider, which might lead to me getting in DR> serious legal trouble. DR> This is just one (perhaps extreme) example of why my trust in my IdP is DR> not universal and all-encompassing. Trust is not a boolean. DR> _______________________________________________ DR> specs mailing list DR> [email protected] DR> http://openid.net/mailman/listinfo/specs _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
