[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

Robert Ott ott at jnet.ch
Tue Dec 22 18:25:18 UTC 2009


Hi Hendrik,

On 22.12.2009, at 12:59, Henrik Biering wrote:

> Robert Ott wrote:
>> Now to the OpenID scenario. As SuisseID is based on standard X-509 certificates, there is no barrier that OpenID providers can accept these client certificates and map such certificates to already existing OpenID's. There are providers such as MyOpenID and our Clavid service providing such functionality for free. Thus, user centric OpenID scenario's are already possible today.
>>   
>> 
> This direct model does not work for Danish citizens as the government and the one company to which they have outsourced the ID management (http://www.danid.dk) requires payment from any company that accepts client certificates from a user. This is clearly not a scalable model - and in particular not workable as regards international use.
On what foundation will they insist of doing so? If a server accepts ALL client certificates, it will be up to the user to provide his client certificate to an identity provider. I think they would only have possibility to disallow anybody to use their CA. But we don't need that for an OpenID provider accepting ALL certificates. We can try that as soon as you can get hold of a eID in your country.
> 
> 
> Kick Willemse wrote:
>> 2. In the NL an additional role is introduced "authentication broker" to
>> make sure all the RP's do not have to implement all the different SAML IDP
>> services individually (And manage all national/ international contractual
>> relationships).
>>   
>> 
> Not the least for the reason mentioned in my response to Robert, this "Authentication broker" model is also what we are currently looking into. 
Oh, is see. But it is an interesting model.
> 
>> 3. I think using the e-ID could help to keep OpenID decentralised.
>> Individuals could use their e-ID to certify their own openid server?
>> 
> Effective from 1 July 2010 danish citizens will no longer be able to access their own private key. This will be stored centrally with DanID. There has been lots of heated discussions in various IT related media about this change.
I don't get this point. If the user does not have the private key (e.g. on a hard token), he won't be able to initiate an SSL connection using client certificates. Do you mean that eID in Denmark will not be based on SSL client certificates?

I think we have to wait until we have real access to such eID to find out how we can open that to the OpenID world.

Robert, OpenID Switzerland.



More information about the eu mailing list