[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

[Robert Ott]

Hi Kick,

So it looks very similar what Netherlands and Switzerland is doing. I guess it will apply for many of the countries.

> 1. Are the traditional e-id CSP's also introducing OpenID's as an additional
> ID?
That's probably a question the CSP's have to answer. 

> 2. In the NL an additional role is introduced "authentication broker" to
> make sure all the RP's do not have to implement all the different SAML IDP
> services individually (And manage all national/ international contractual
> relationships).
I think that is an interesting concept. That concept is not part of the SuisseID spec (yet).

> 3. I think using the e-ID could help to keep OpenID decentralised.
> Individuals could use their e-ID to certify their own openid server? 
Agree.

> 4. What Attribute schema is used and is there any parallel with the AX
> schema?
Proprietary for SuisseID. Will need to be converted to the AX schema.

Regards

Robert

On 20.12.2009, at 15:35, Kick Willemse wrote:

> Hi Robert, all,
> 
> Thank you for the explanation on SuisseID.
> 
> In NL you see similar developments where traditional CSP's are developing
> authentication services based on SAML to exchange additional attributes.
> (Also to have a minimum of data in the X509 certs).
> 
> Also OpenID is seen as a good protocol to make it more easy for RP's to
> implement e-ID and also have a better user experience.
> 
> I have a few questions/ statements and wonder what others opinions are:
> 
> 1. Are the traditional e-id CSP's also introducing OpenID's as an additional
> ID?
> 2. In the NL an additional role is introduced "authentication broker" to
> make sure all the RP's do not have to implement all the different SAML IDP
> services individually (And manage all national/ international contractual
> relationships).
> 3. I think using the e-ID could help to keep OpenID decentralised.
> Individuals could use their e-ID to certify their own openid server? 
> 4. What Attribute schema is used and is there any parallel with the AX
> schema?
> 
> Kick
> -----Oorspronkelijk bericht-----
> Van: Robert Ott [mailto:ott at jnet.ch] 
> Verzonden: zaterdag 19 december 2009 17:24
> Aan: Henrik Biering
> CC: openid-eu at lists.openid.net
> Onderwerp: Re: [OpenID - Eu] Privacy and Security Risks when Authenticating
> on the Internet with European eID
> 
> Hi Hendrik,
> 
> Let me first explain some points how SuisseID will be provided as far as I
> can state at the moment.
> - SuisseID will be based on standard X-509 client certificates.
> - There will be 4 certificate providers (CSP's) which are eligible for
> issuing SuisseID's:
>   - SwissPost/SwissSign
>   - Swisscom
>   - QuoVadis
>   - Swiss government for government internal purposes
> - The issuers will SELL the hard-token based certificates to Swiss citizens.
> - In 2010, the citizens will be able to get much of the price paid for the
> SuisseID's back from the government (refund).
> - It has not been 100% decided whether there will be one SAML based IDP
> service (for attribute access) or all of the CSP's will have to provide
> their own SAML based IDP service. Most likely, all CSP will have to provide
> their own service.
> - The SAML based attribute access service will be user-centric. Thus, the
> user decides who gets access to attributes which attributes collected during
> the certificate issuing process.
> 
> Now to the OpenID scenario. As SuisseID is based on standard X-509
> certificates, there is no barrier that OpenID providers can accept these
> client certificates and map such certificates to already existing OpenID's.
> There are providers such as MyOpenID and our Clavid service providing such
> functionality for free. Thus, user centric OpenID scenario's are already
> possible today.
> 
> In case of a LOA-1 e-government application, an OpenID provider may act as a
> SAML assertion consumer service asking via SAML for attributes provided by
> the CSP's. In case the user accepts to transfer some attributes to the
> OpenID provider, the provider can use it as persona attributes and forwards
> such attributes to OpenID relying parties (of course just in case the user
> agrees to such a transfer too). 
> 
> In addition, there will be possibilities to federate validated ID's between
> countries based on protocols such as OpenID. Just like Martin's service does
> in Estonia. However, we have to work out some common understanding how such
> a federation could be done taking into account the different handling of eID
> in the various EU countries. I'm sure as technology and services come along,
> we'll find appropriate solutions for doing so.
> 
> But let's first focus on enabling the use of eID's for OpenID relying
> parties and make users aware that they CAN use their eID's for OpenID
> enabled services. Afterwards, we can concentrate on secure, trusted
> attribute exchange and cross country federation.
> 
> Regards
> 
> Robert
> 
> On 19.12.2009, at 16:12, Henrik Biering wrote:
> 
>> Robert, can you briefly explain or point to the commercial conditions for
> signing up as an RP to SuisseID (which I did not notice on the SuisseID
> site).
>> 
>> We have a similar situation here in Denmark from mid 2010, where it will
> be trivial to bridge from SAML to OpenID from a technical standpoint, but
> where the upcoming government IDP (outsourced to a confederation of banks)
> has a very IDP centric business model, which may cause problems in a
> usercentric OpenID scenario.
>> 
>> Robert Ott wrote:
>>> We are currently in the process of bringing OpenID to attention with
> regards to SuisseID (http://www.suisseid.ch
>>> ). Currently, the SuisseID specification solely defines SAML to be used
> for that purpose. I'm sure we'll be able to bridge that SAML protocol to
> OpenID give SuisseID users the possibility to broader use theirs SuisseID
> for all OpenID enabled sites.
>>> 
>>> Regards
>>> 
>>> Robert
>>> 
> 
> _______________________________________________
> eu mailing list
> eu at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-eu