[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

[Nat]

FYI, we have been experamenting on SAML/OpenID translation. If we can  
be of any help, let me know.

=nat at Tokyo via iPhone

On 2009/12/20, at 1:24, Robert Ott <ott at jnet.ch> wrote:

> Hi Hendrik,
>
> Let me first explain some points how SuisseID will be provided as  
> far as I can state at the moment.
> - SuisseID will be based on standard X-509 client certificates.
> - There will be 4 certificate providers (CSP's) which are eligible  
> for issuing SuisseID's:
>   - SwissPost/SwissSign
>   - Swisscom
>   - QuoVadis
>   - Swiss government for government internal purposes
> - The issuers will SELL the hard-token based certificates to Swiss  
> citizens.
> - In 2010, the citizens will be able to get much of the price paid  
> for the SuisseID's back from the government (refund).
> - It has not been 100% decided whether there will be one SAML based  
> IDP service (for attribute access) or all of the CSP's will have to  
> provide their own SAML based IDP service. Most likely, all CSP will  
> have to provide their own service.
> - The SAML based attribute access service will be user-centric.  
> Thus, the user decides who gets access to attributes which  
> attributes collected during the certificate issuing process.
>
> Now to the OpenID scenario. As SuisseID is based on standard X-509  
> certificates, there is no barrier that OpenID providers can accept  
> these client certificates and map such certificates to already  
> existing OpenID's. There are providers such as MyOpenID and our  
> Clavid service providing such functionality for free. Thus, user  
> centric OpenID scenario's are already possible today.
>
> In case of a LOA-1 e-government application, an OpenID provider may  
> act as a SAML assertion consumer service asking via SAML for  
> attributes provided by the CSP's. In case the user accepts to  
> transfer some attributes to the OpenID provider, the provider can  
> use it as persona attributes and forwards such attributes to OpenID  
> relying parties (of course just in case the user agrees to such a  
> transfer too).
>
> In addition, there will be possibilities to federate validated ID's  
> between countries based on protocols such as OpenID. Just like  
> Martin's service does in Estonia. However, we have to work out some  
> common understanding how such a federation could be done taking into  
> account the different handling of eID in the various EU countries.  
> I'm sure as technology and services come along, we'll find  
> appropriate solutions for doing so.
>
> But let's first focus on enabling the use of eID's for OpenID  
> relying parties and make users aware that they CAN use their eID's  
> for OpenID enabled services. Afterwards, we can concentrate on  
> secure, trusted attribute exchange and cross country federation.
>
> Regards
>
> Robert
>
> On 19.12.2009, at 16:12, Henrik Biering wrote:
>
>> Robert, can you briefly explain or point to the commercial  
>> conditions for signing up as an RP to SuisseID (which I did not  
>> notice on the SuisseID site).
>>
>> We have a similar situation here in Denmark from mid 2010, where it  
>> will be trivial to bridge from SAML to OpenID from a technical  
>> standpoint, but where the upcoming government IDP (outsourced to a  
>> confederation of banks) has a very IDP centric business model,  
>> which may cause problems in a usercentric OpenID scenario.
>>
>> Robert Ott wrote:
>>> We are currently in the process of bringing OpenID to attention  
>>> with regards to SuisseID (http://www.suisseid.ch
>>> ). Currently, the SuisseID specification solely defines SAML to be  
>>> used for that purpose. I'm sure we'll be able to bridge that SAML  
>>> protocol to OpenID give SuisseID users the possibility to broader  
>>> use theirs SuisseID for all OpenID enabled sites.
>>>
>>> Regards
>>>
>>> Robert
>>>
>
> _______________________________________________
> eu mailing list
> eu at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-eu