[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

[Robert Ott]

Hi Hendrik,

Let me first explain some points how SuisseID will be provided as far as I can state at the moment.
- SuisseID will be based on standard X-509 client certificates.
- There will be 4 certificate providers (CSP's) which are eligible for issuing SuisseID's:
   - SwissPost/SwissSign
   - Swisscom
   - QuoVadis
   - Swiss government for government internal purposes
- The issuers will SELL the hard-token based certificates to Swiss citizens.
- In 2010, the citizens will be able to get much of the price paid for the SuisseID's back from the government (refund).
- It has not been 100% decided whether there will be one SAML based IDP service (for attribute access) or all of the CSP's will have to provide their own SAML based IDP service. Most likely, all CSP will have to provide their own service.
- The SAML based attribute access service will be user-centric. Thus, the user decides who gets access to attributes which attributes collected during the certificate issuing process.

Now to the OpenID scenario. As SuisseID is based on standard X-509 certificates, there is no barrier that OpenID providers can accept these client certificates and map such certificates to already existing OpenID's. There are providers such as MyOpenID and our Clavid service providing such functionality for free. Thus, user centric OpenID scenario's are already possible today.

In case of a LOA-1 e-government application, an OpenID provider may act as a SAML assertion consumer service asking via SAML for attributes provided by the CSP's. In case the user accepts to transfer some attributes to the OpenID provider, the provider can use it as persona attributes and forwards such attributes to OpenID relying parties (of course just in case the user agrees to such a transfer too). 

In addition, there will be possibilities to federate validated ID's between countries based on protocols such as OpenID. Just like Martin's service does in Estonia. However, we have to work out some common understanding how such a federation could be done taking into account the different handling of eID in the various EU countries. I'm sure as technology and services come along, we'll find appropriate solutions for doing so.

But let's first focus on enabling the use of eID's for OpenID relying parties and make users aware that they CAN use their eID's for OpenID enabled services. Afterwards, we can concentrate on secure, trusted attribute exchange and cross country federation.

Regards

Robert

On 19.12.2009, at 16:12, Henrik Biering wrote:

> Robert, can you briefly explain or point to the commercial conditions for signing up as an RP to SuisseID (which I did not notice on the SuisseID site).
> 
> We have a similar situation here in Denmark from mid 2010, where it will be trivial to bridge from SAML to OpenID from a technical standpoint, but where the upcoming government IDP (outsourced to a confederation of banks) has a very IDP centric business model, which may cause problems in a usercentric OpenID scenario.
> 
> Robert Ott wrote:
>> We are currently in the process of bringing OpenID to attention with regards to SuisseID (http://www.suisseid.ch
>> ). Currently, the SuisseID specification solely defines SAML to be used for that purpose. I'm sure we'll be able to bridge that SAML protocol to OpenID give SuisseID users the possibility to broader use theirs SuisseID for all OpenID enabled sites.
>> 
>> Regards
>> 
>> Robert
>>