I think you may have me mistaken for somebody else on the list (DR is also
David Recordon). I'm a big fan of IdP-initiated login and privacy protection
in OpenID.

However as much as I think that's an important use case, there's also many
use cases around using a public, "omnidirectional" identifier. So OpenID
should accommodate both.


-----Original Message-----
From: Chris Drake [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 8:29 PM
To: Drummond Reed
Cc: 'Martin Atkins';
Subject: Re[2]: Identifier portability: the fundamental issue

Hi Drummond,

DR> ... if there is any record at all of any association between these
DR> two identities, ...

double-blind anonymous authentication solves this problem.  The RP
knows nothing more about you besides:
A) you're authenticated, and/or
B) you've been here before (eg: have signed up for an account)
The IdP knows merely
C) That you wanted to log in somewhere

The RP does not know your ID or even your IdP, and your IdP does not
know what site you logged in to.

I have a working proof-of-concept that I demonstrated to a few people
some months back, let me know if you've not seen it, and I'll send
over the URL

In a nutshell - this relies on uniform "nonce" formats and asymmetric
cryptography (so the RP and IdP can "talk" between one another without
making any actual contact - the browser and/or user "carry" the
authentication payloads forth and back without referrer URLs or any
other info that can link the 2 sites (RP/IdP) together).

Besides all that - the normal "use case" for an IdP in OpenID world
(remember: decentralized) will be someone running some open-source
code on their own server, so trust in this instance *is* boolean: at
least in so far as if there's anything for someone to not be
trustworthy about themselves for - it won't be the fault of their IdP
code PROVIDING their IdP has provided them with IdP-initiated logins
in order to allow this user to protect their own privacy in the first

Court orders are what I termed "3.5. Authorized exploitation" in my
threat list, and "insider leaks" I called "1.3.6. physical attack of
server resources (eg: server/hosting-facility compromise)" - there's
another 98 other threats to keep in mind here as well:-

While your example might seem extreme, the consequences are also
extreme (or fatal, if you live someplace like China) - which is why I
take privacy so seriously.  Stick "Himalayas video" into google news
if you want to watch what Chinese do to their own people when found
trying to visit the Dalai Lama.  Now - how comfortable are you with
the idea of letting 1.5 billion Chinese people use OpenID without
making it easy to help them protect their own privacy ?

There's a big picture here, and it's not about meeting some arbitrary
deadline or saving a day or two of coding work - it's about producing
something that works, and can be deployed ethically.

Take a long hard look at that Nun lying dead in the snow, then tell me
you still believe there's no need for IdP-initiated privacy protection
in OpenID.

Kind Regards,
Chris Drake,

Tuesday, October 17, 2006, 7:29:00 AM, you wrote:

DR> +1. "Trust is not a boolean." Martin, that's very quotable. Can I
DR> it to you?

DR> =Drummond 

DR> -----Original Message-----
DR> [mailto:[EMAIL PROTECTED] On Behalf
DR> Of Martin Atkins
DR> Sent: Monday, October 16, 2006 12:25 PM
DR> To:
DR> Subject: Re: Identifier portability: the fundamental issue

DR> Chris Drake wrote:
>> There seem to be a lot of people on this list who want to hate and
>> loathe the IdP, and grant all power to the RP.  I do not understand
>> this reasoning:  our users will select the IdP they trust and like,
>> then they will be using a multitude of possibly hostile RPs
>> thereafter: the reverse is simply not true.

DR> If I'm using one IdP to assert my primary public identity, they can
DR> hypothetically develop quite a profile about me. I probably don't mind
DR> too much in most cases, because I researched them and found that they
DR> are a good provider and won't sell my data out to the bad guys.

DR> However, there might be some things I want to do (for example, posting
DR> locally-prohibited speech on a public forum) that I don't want attached
DR> in any way, shape or form to my public identity. The trust relationship
DR> I have with that IdP probably isn't enough for this; if there is any
DR> record at all of any association between these two identities, as 
DR> friendly as my IdP may be, there is a chance that it will be ceased by
DR> court order, or leaked by an insider, which might lead to me getting in
DR> serious legal trouble.

DR> This is just one (perhaps extreme) example of why my trust in my IdP is
DR> not universal and all-encompassing. Trust is not a boolean.

DR> _______________________________________________
DR> specs mailing list

specs mailing list

Reply via email to