Requiring Pseudonymous Identifier
John Bradley
jbradley at mac.com
Thu May 14 14:07:17 UTC 2009
+1
Exactly group membership is an attribute and you may need to assert
multiple ones at the same time.
I believe the SAML solution to the this is to use a sort of ephemeral
for the subject of the assertion.
For openID the equivalent is not using a identifier at all. The same
effect can also be acived with managed info-cards.
I think overloading the identifier with group meaning is a bad
direction.
You could do it now, by allowing multiple people to assert the same
openID but that would cause all sorts of problems for RP's not
understanding the difference.
Keeping it identity-less also allows the assertion to come from a 3rd
party.
The group may be the only one that can say I belong to it. They may
have the openID's of there members and make membership assertions on
there behalf without being a full IDP. That could be done with AX or
oAuth for transferring the attributes.
John Bradley
On 14-May-09, at 12:17 AM, Andrew Arnott wrote:
> If an RP only needs group membership and no individual identity,
> then why assert an identifier at all? Use OAuth or identity-less
> OpenID. I think it would seriously cloud OpenID's Identifiers if an
> AX attribute that may or may not be noticed or included
> significantly changes what the identifier's significant meaning is.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - S. G. Tallentyre
>
>
> On Wed, May 13, 2009 at 8:36 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> > wrote:
> Attributes like group membership belong in AX, not in the identifier.
>
> I suspect the idea is to have a pseudonymous identifier that
> discloses nothing about the person using it other than the fact that
> they can assert the same ID each time they return to prevent
> correlation.
>
> To further prevent correlation, the OP may wish to support users in
> authenticating as members of a group - *in such a way* that
> individual users cannot be distinguished from one another. If not
> for that, RP's could correlate information over time, establishing
> theoretical profiles of the users.
>
> I think one compromise could be to use a traditional identifier, and
> then use AX to signal to the RP that the OP might vouch for more
> than one individual having that URI.
>
> -Shade
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090514/c2f98578/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090514/c2f98578/attachment-0002.bin>
More information about the specs
mailing list