[OpenID] Opt out of Yahoo OpenID?

Peter Williams pwilliams at rapattoni.com
Sat Jan 19 19:29:57 UTC 2008


http://www.identityblog.com/stories/2004/12/09/thelaws.html <http://www.identityblog.com/stories/2004/12/09/thelaws.html>  - concerning directed identity

"A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. (Starts here...) <http://www.identityblog.com/2004/12/06.html> "

There are only two uses of the term in the reference. One says "bluetooth doesn't hack it", and the other is the title. Most of the text below the title is blather - presumably attempting conceptual analysis and consensus building via the social dynamics of blogging. The first paragraph is a reasonable definition and requirements statement, terms of which clearly relate the VeriSign contribution on the topic from Feb 2006. I don't know who the author of the law 4 is : VeriSign or Microsoft. I can independently analyse that the VeriSign contribution was focused, clear and nicely argued. I can also say that the Microsoft paragraph was a nice summary of the VeriSign email, if that is indeed the order in which contribution actually happened.
 
Lets try now put this "Newton-class Law" #4 into standard security terminology that auditors can work with, rather than impose new-fangled identity terminology:
 
1. individual accountability in public requires "omnipresence" - an identifier that any relying party can easily bind to a real person based on their participation in civil society.
 
2. individual accountability in private requires "unidirectional presence(s)" - one or more identifiers that one or more  limited groups of relying parties can easily bind to a real person still operating in civil society - who may yet exploit zero, one or more pseudonyms to assert zero, one or more expectations of privacy.
 
3. as (2) above in which the veil of privacy cannot be pierced - and the parties are thus not participating in civil society. Though by no means are all such non-civil communities criminal in manner, many also are. Civil society has to use politics to define the balances of issues here - an ongoing and difficult process.
 
I don't see anything in the definition (or the difficult to follow blather) that restricts individual accountability in scenario 2 to being limited to a singular (pseudonymous) identifier per relying party.
 
------------------
 
In the case of Yahoo, they have clearly defined both a scenario #1 community and a scenario #2 relying party community (using unidirectional identification model of law #4) as all those who are relying in case 2 will need to be bound to Yahoo's terms of service - a simple federation agreement (that may differ by the nation in which the act of reliance shall be authorized to occur, when interacting with directed identities managed/issued/provisioned legally under the terms of service imposed by yahoo.co.uk, say). They created an obvious and web-typical subscription vehicle to their federation community, in the form of their signup button which is obviously branded to Yahoo. It invokes  and symbolizes their virtual reliance space. The button is distinct from the openid button, in brand and logo design - clearly separating the distinction between the reliance domains. The button invokes openid 2.0 and specifically involves the exploitation of "OP Identifiers" (rather than the alternative, "Claimed Identifiers") facilitating thereby the use of the "Directed Entity" handling procedure at their beta OP server.
 
If the OpenID Forum happens to design a reliance space represented by the openid-branded button that has a different profile of Directed Identity within Law 4 (e.g. the button indicates the site participates in the scheme allowing n directed identities of a given legal person (issued by n different OPs) to be relied upon with or without pseudonym security semantics, so be it.
 
Celebrate such interpretations, Dick. You have succeeded! Let the OpenID button represent work yet to be realized on the "single openid space". You are in many ways at exactly the same position as RFC 1422, when it turned away from the former vision of the internet public key infrastructure (there shall be a only one PKI, a single PKI for the internet (designed by BBN=DARPA/NSA, rooted at MIT=NSF, operated by RSADSI)). The turn allowed for Policy CAs to exist, each of which qualified _autonomous_ certification domains unbeholden to MIT, and rooted in national legal systems. Once we had had broken the back of the "single PKI' into policy domains, it was only a small push to dump the formality of policy domains and let anyone run a PKI with or without policy and/or connectivity - subject to common law controls, only. Voila https - a worldwide collection of trust networks enforcing cryptographic separation policies, only some of which connect to each other! It scaled to internet size though, addressing somehow the contentious social, privacy and technology issues that these initiatives always invoke. If I read the tea leaves right, tho., openid is repeating that successful history, as a form of lightweight websso (over a PKI-controlled https bearer). 


________________________________

From: Dick Hardt [mailto:dick at sxip.com]
Sent: Sat 1/19/2008 8:51 AM
To: Peter Williams
Cc: sknvn-openid at yahoo.com; openid-general
Subject: Re: [OpenID] Opt out of Yahoo OpenID?




On 18-Jan-08, at 9:02 PM, Peter Williams wrote:

> http://lists.danga.com/pipermail/yadis/2006-February/002138.html 
> does indeed provide context. It says the then skip does idp-
> initiated sso with persistent nameid name format conversion, per 
> sp. It also implies that openid2 can do more typical sp-initiated 
> websso with -implied- nameformat=persistent  request, causing the 
> op to mask ppi in the openid.
>
> Yahoo are apparently doing the latter - where the masking is for a 
> common sp affiliation set rather than the initiating sp, where set 
> is all RPs, as it happens.
>
>  As directed identity is not a standardized term, and yahoo are 
> using std protocol elements to invoke the user selecton of openid 
> for a given rp, they are entitled to use the term directed 
> identity, I find.

Over on the Identity Gang list and in Kim's Laws of Identity[1] the 
term Directed Identity does have a standard definition.


[1] http://www.identityblog.com/stories/2004/12/09/thelaws.html
        see Law 4

-- Dick






More information about the general mailing list