Requiring Pseudonymous Identifier

David Recordon david at sixapart.com
Wed May 13 23:26:13 UTC 2009


Agreed.  RP requests a pseudonymous identifier and it's up to the OP  
to figure out how to make one and ideally communicate back to the RP  
that it did so.

--David

On May 13, 2009, at 9:41 AM, Andrew Arnott wrote:

> Agreed.  There is no reason for OpenID to mandate how pseudononymous  
> identifiers are created.  That should be left up to the OP.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>
> On Wed, May 13, 2009 at 9:28 AM, George Fletcher <gffletch at aol.com>  
> wrote:
> I'm perfectly fine with using RP discovery as a mechanism for the RP  
> to specify what "policy" it requires. I believe that unsolicited  
> assertions are going to become more common, so we need to support it.
>
> What I don't want OpenID to do is specify the actual syntax of the  
> pseudonymous identifier. I agree that the RP has to trust the OP (in  
> some sense) or make it's own determination that the OP is not  
> honoring the RP's wishes and then take some action.
>
> For RP's behind firewalls, it would be nice to allow them some  
> mechanism other than RP discovery to assert their requirements, but  
> that should preclude the discover option.
>
> Thanks,
> George
>
> Andrew Arnott wrote:
> leaves out the scenario of unsolicited assertions.A new directed  
> identity value that the RP passes to the OP to indicate it wants a  
> psuedononymous identifier.  Consider this:
>
> An OP needs to perform RP discovery (already), and probably does so  
> before sending an unsolicited assertion in order to find out what  
> the assertion receiving URI would be for a given realm.  DNOA does  
> this already.  If that RP's XRDS document included a TypeURI element  
> that had a special psuedononymous-identifier-only-please value the  
> OP could pick up on this, and send the unsolicited assertion using  
> the appropriate type of claimed_id.
>
> Likewise, when an RP sends an ordinary directed identity request to  
> an OP, the OP would again notice the RP's XRDS during RP discovery  
> and see what kind of identifier the RP wants and assert accordingly.
>
> Yes, some OPs won't honor the RP's wishes, and some OPs don't do RP  
> discovery at all.  Perhaps to help the RP detect whether the OP  
> respected its wishes would be to send a PAPE extension or some other  
> openid.* parameter to say "yes, this is a pseudo- identifier."  RPs  
> have no way to analytically be certain that some identifier is  
> psuedononymous anyway, so ultimately the RP has to trust the OP  
> (whether implicitly or through a white list is up to the RP).
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - Voltaire
>
>
> On Wed, May 13, 2009 at 8:44 AM, George Fletcher <gffletch at aol.com <mailto:gffletch at aol.com 
> >> wrote:
>
>    I don't think OpenID should specify how pseudonymous identifiers
>    are generated. That should be up to the OP. But I like the idea of
>    using a fixed URI as the claimed_id value to specify the behavior
>    desired by the RP. If, however, we need to grow this to cover
>    anonymous based identifiers (i.e. the claims based models from
>    earlier in this thread) then it might make sense to look at a PAPE
>    extension that covers the type of identifier requested.
>
>    Thanks,
>    George
>
>
>    Nat Sakimura wrote:
>
>        Sorry for a slow response. This week is especially busy for  
> me...
>
>        I borrowed the notion from Austrian Citizen ID system.
>        In there, the services are divided into "sectors."
>        A sector may span several agencies.
>        They call ID as PIN (Personal Identification Number).
>
>        There is a secret PIN (sPIN) which is not used anywhere but in
>        their SmartCard.
>        Then, sector sepcific PIN (ssPIN) is calculated in the manner  
> of :
>
>        SHA1(sPIN + SectorID)
>
>        (Note, there is a bit more details but...)
>
>        I have thrown OP secret into it.
>        To avoid the analytic attack, I agree that it is better to use
>        individual secret, as some of you
>        points out.
>
>        Regards,
>
>        =nat
>
>        On Tue, May 12, 2009 at 5:55 PM, Dick Hardt
>        <dick.hardt at gmail.com <mailto:dick.hardt at gmail.com>> wrote:
>
>            On 12-May-09, at 1:36 AM, Nat Sakimura wrote:
>
>                Reason for using RP's Subject in XRD instead of simply
>                using realm is
>                to allow for something like group identifier.
>
>            would you elaborate on the group identifier concept?
>
>
>                This is just one idea. Downside of this approach
>                is that we need to set up a WG.
>
>                I am sure there are more ideas. It might be possible
>                to utilize AX
>                so that it will only be a profile that does not
>                require a WG.
>
>                So shall we start discussing which direction we want
>                to go forward?
>
>            sure!
>
>
>
>
>
>
>    _______________________________________________
>    specs mailing list
>    specs at openid.net <mailto:specs at openid.net>
>
>    http://openid.net/mailman/listinfo/specs
>
>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090513/d099e1d2/attachment.htm>


More information about the specs mailing list