Requiring Pseudonymous Identifier

John Bradley jbradley at
Thu May 14 14:07:17 UTC 2009


Exactly group membership is an attribute and you may need to assert  
multiple ones at the same time.

I believe the SAML solution to the this is to use a sort of ephemeral  
for the subject of the assertion.

For openID the equivalent is not using a identifier at all.   The same  
effect can also be acived with managed  info-cards.

I think overloading the identifier with group meaning is a bad  

You could do it now,  by allowing multiple people to assert the same  
openID but that would cause all sorts of problems for RP's not  
understanding the difference.

Keeping it identity-less also allows the assertion to come from a 3rd  

The group may be the only one that can say I belong to it.  They may  
have the openID's of there members and make membership assertions on  
there behalf without being a full IDP.  That could be done with AX or  
oAuth for transferring the attributes.

John Bradley
On 14-May-09, at 12:17 AM, Andrew Arnott wrote:

> If an RP only needs group membership and no individual identity,  
> then why assert an identifier at all?  Use OAuth or identity-less  
> OpenID.  I think it would seriously cloud OpenID's Identifiers if an  
> AX attribute that may or may not be noticed or included  
> significantly changes what the identifier's significant meaning is.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - S. G. Tallentyre
> On Wed, May 13, 2009 at 8:36 PM, SitG Admin <sysadmin at 
> > wrote:
> Attributes like group membership belong in AX, not in the identifier.
> I suspect the idea is to have a pseudonymous identifier that  
> discloses nothing about the person using it other than the fact that  
> they can assert the same ID each time they return to prevent  
> correlation.
> To further prevent correlation, the OP may wish to support users in  
> authenticating as members of a group - *in such a way* that  
> individual users cannot be distinguished from one another. If not  
> for that, RP's could correlate information over time, establishing  
> theoretical profiles of the users.
> I think one compromise could be to use a traditional identifier, and  
> then use AX to signal to the RP that the OP might vouch for more  
> than one individual having that URI.
> -Shade
> _______________________________________________
> specs mailing list
> specs at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <>

More information about the specs mailing list