[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

Kick Willemse nieuwsgroep at evidos.nl
Sun Dec 20 14:35:57 UTC 2009


Hi Robert, all,

Thank you for the explanation on SuisseID.

In NL you see similar developments where traditional CSP's are developing
authentication services based on SAML to exchange additional attributes.
(Also to have a minimum of data in the X509 certs).

Also OpenID is seen as a good protocol to make it more easy for RP's to
implement e-ID and also have a better user experience.

I have a few questions/ statements and wonder what others opinions are:

1. Are the traditional e-id CSP's also introducing OpenID's as an additional
ID?
2. In the NL an additional role is introduced "authentication broker" to
make sure all the RP's do not have to implement all the different SAML IDP
services individually (And manage all national/ international contractual
relationships).
3. I think using the e-ID could help to keep OpenID decentralised.
Individuals could use their e-ID to certify their own openid server? 
4. What Attribute schema is used and is there any parallel with the AX
schema?

Kick
-----Oorspronkelijk bericht-----
Van: Robert Ott [mailto:ott op jnet.ch] 
Verzonden: zaterdag 19 december 2009 17:24
Aan: Henrik Biering
CC: openid-eu op lists.openid.net
Onderwerp: Re: [OpenID - Eu] Privacy and Security Risks when Authenticating
on the Internet with European eID

Hi Hendrik,

Let me first explain some points how SuisseID will be provided as far as I
can state at the moment.
- SuisseID will be based on standard X-509 client certificates.
- There will be 4 certificate providers (CSP's) which are eligible for
issuing SuisseID's:
   - SwissPost/SwissSign
   - Swisscom
   - QuoVadis
   - Swiss government for government internal purposes
- The issuers will SELL the hard-token based certificates to Swiss citizens.
- In 2010, the citizens will be able to get much of the price paid for the
SuisseID's back from the government (refund).
- It has not been 100% decided whether there will be one SAML based IDP
service (for attribute access) or all of the CSP's will have to provide
their own SAML based IDP service. Most likely, all CSP will have to provide
their own service.
- The SAML based attribute access service will be user-centric. Thus, the
user decides who gets access to attributes which attributes collected during
the certificate issuing process.

Now to the OpenID scenario. As SuisseID is based on standard X-509
certificates, there is no barrier that OpenID providers can accept these
client certificates and map such certificates to already existing OpenID's.
There are providers such as MyOpenID and our Clavid service providing such
functionality for free. Thus, user centric OpenID scenario's are already
possible today.

In case of a LOA-1 e-government application, an OpenID provider may act as a
SAML assertion consumer service asking via SAML for attributes provided by
the CSP's. In case the user accepts to transfer some attributes to the
OpenID provider, the provider can use it as persona attributes and forwards
such attributes to OpenID relying parties (of course just in case the user
agrees to such a transfer too). 

In addition, there will be possibilities to federate validated ID's between
countries based on protocols such as OpenID. Just like Martin's service does
in Estonia. However, we have to work out some common understanding how such
a federation could be done taking into account the different handling of eID
in the various EU countries. I'm sure as technology and services come along,
we'll find appropriate solutions for doing so.

But let's first focus on enabling the use of eID's for OpenID relying
parties and make users aware that they CAN use their eID's for OpenID
enabled services. Afterwards, we can concentrate on secure, trusted
attribute exchange and cross country federation.

Regards

Robert

On 19.12.2009, at 16:12, Henrik Biering wrote:

> Robert, can you briefly explain or point to the commercial conditions for
signing up as an RP to SuisseID (which I did not notice on the SuisseID
site).
> 
> We have a similar situation here in Denmark from mid 2010, where it will
be trivial to bridge from SAML to OpenID from a technical standpoint, but
where the upcoming government IDP (outsourced to a confederation of banks)
has a very IDP centric business model, which may cause problems in a
usercentric OpenID scenario.
> 
> Robert Ott wrote:
>> We are currently in the process of bringing OpenID to attention with
regards to SuisseID (http://www.suisseid.ch
>> ). Currently, the SuisseID specification solely defines SAML to be used
for that purpose. I'm sure we'll be able to bridge that SAML protocol to
OpenID give SuisseID users the possibility to broader use theirs SuisseID
for all OpenID enabled sites.
>> 
>> Regards
>> 
>> Robert
>> 

_______________________________________________
eu mailing list
eu op lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-eu



More information about the eu mailing list