[OpenID] Use OpenID for Identification

Thu May 15 15:02:01 UTC 2008

Christoph,

> I'm trying to find a way how we could use OpenID to _prove_ that a  
> user
> is over 18, or any other legally important claims.

_Prove_ is a term that would require a stronger trust infrastructure  
than anything offered today.  We usually stop at "very strong claim,"  
and even that is extremely hard.

> Currently there are a lot of projects which try to combine national ID
> cards with OpenID, like Trustbearer or open.id.ee (which seems to be
> down at the moment). Combined with some sort of reputation list this
> would result in a two class society of OpenID-provider: the (maybe
> federally controlled) provider which you use with your national  
> identity
> card for the "important" stuff, and the "normal" provider which you  
> can
> use for blogs, forums and so on.

There are more than two categories.  There are a lot of different  
identity sources in the world.  What about corporations that can  
claim someone is an employee in a department?  Universities stating  
that a student is a member in a particular course or major?

I'd come back to my suggestion of a reputation service with a set of  
"tags" for providers that have been vetted by the reputation service  
for particular things.

Most of the work in the past on this has focused on the quality of  
credential assignment and the quality of the authentication performed  
once those credentials have been handed out.  See LoA, particularly  
NIST 800-63.

While this is important, because no assurance or "proof" can be  
stronger than the quality of these processes, nobody has spent much  
time analyzing "who can send information A", such as "can state over  
18."  Shibboleth has experimented with this, but my experience has  
been that it's unwieldy in practice.  It's another dimension in the  
table that adds a lot of complexity, and assurance/proof are really  
difficult to begin with.

We don't have any easy answers here yet.

> *Something like a OpenID-Rootserver as used in the DNS which
>   tells you which provider has the permission to claim things
>   about a specific country.

It's a shame that DNS itself can't do this(e.g. SRV records).  It was  
designed to, but it never will, given the mistakes in its  
deployment.  Reputation services should not make the same mistake.   
If something like this is designed, it needs to be specifically  
constrained so that it provides the information necessary.

This is a very good place for further conversation and work,
Nate.