[OpenID] Use OpenID for Identification

Peter Williams pwilliams at rapattoni.com
Thu May 15 15:44:36 UTC 2008 

Fun topic ...as the openid community formally has an answer - one which is at least more than a rehash of the arguments one typically sees (year after year after year, particularly after yet another "magical" authenticated blob format, handshake and name server is launched).

In the uci doctrine, you the enduser are the only authority. There are no classical ttps, unless one considers the sp a ttp. The doctrine says: if the SPs of major import (e.g. Govt services, or national news outlets) reject a certain op because its sp-designated reputation is too poor, users will be denied access and will quickly re-register with one that is not blacklisted.

Now this trust concept is not actually new: its the hub/spoke model, where the sp is the hub. What is novel about the constuction, is that the openid user is the idp-entity formally, rather than the op. The op is merely a repository (in the (German) legal model of CAs). Openid auth is really playing the role of the repository's ocsp responder. Now, in that model, repositories have their own assurances which qualify the "records" stored within, a concept that contrasts with assurances about the "proof statements" themselves (from the Cambridge/Needham tradition of handshake design/analysis).

-----Original Message-----
From: Nate Klingenstein <ndk at internet2.edu>
Sent: Thursday, May 15, 2008 8:02 AM
To: Christoph Eunicke <christoph at eunicke.de>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Use OpenID for Identification

Christoph,

> I'm trying to find a way how we could use OpenID to _prove_ that a  
> user
> is over 18, or any other legally important claims.

_Prove_ is a term that would require a stronger trust infrastructure  
than anything offered today.  We usually stop at "very strong claim,"  
and even that is extremely hard.

> Currently there are a lot of projects which try to combine national ID
> cards with OpenID, like Trustbearer or open.id.ee (which seems to be
> down at the moment). Combined with some sort of reputation list this
> would result in a two class society of OpenID-provider: the (maybe
> federally controlled) provider which you use with your national  
> identity
> card for the "important" stuff, and the "normal" provider which you  
> can
> use for blogs, forums and so on.

There are more than two categories.  There are a lot of different  
identity sources in the world.  What about corporations that can  
claim someone is an employee in a department?  Universities stating  
that a student is a member in a particular course or major?

I'd come back to my suggestion of a reputation service with a set of  
"tags" for providers that have been vetted by the reputation service  
for particular things.

Most of the work in the past on this has focused on the quality of  
credential assignment and the quality of the authentication performed  
once those credentials have been handed out.  See LoA, particularly  
NIST 800-63.

While this is important, because no assurance or "proof" can be  
stronger than the quality of these processes, nobody has spent much  
time analyzing "who can send information A", such as "can state over  
18."  Shibboleth has experimented with this, but my experience has  
been that it's unwieldy in practice.  It's another dimension in the  
table that adds a lot of complexity, and assurance/proof are really  
difficult to begin with.

We don't have any easy answers here yet.

> *Something like a OpenID-Rootserver as used in the DNS which
>   tells you which provider has the permission to claim things
>   about a specific country.

It's a shame that DNS itself can't do this(e.g. SRV records).  It was  
designed to, but it never will, given the mistakes in its  
deployment.  Reputation services should not make the same mistake.   
If something like this is designed, it needs to be specifically  
constrained so that it provides the information necessary.

This is a very good place for further conversation and work,
Nate.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list