[OpenID] Correlating Identifiers

Thu Nov 6 15:26:29 UTC 2008

Dont OpenID state machine rules require an RP to reject a identity claim from the OP that fails to match the requested identity?

Isnt the ONLY exception to that when the RP/user has invoked the directed-identity flow ?

the way OpenID users USED to present the security control was:- user selects which of their Op-registered openids they wish to release to a given RP. It was NO presented as: like SAML, OPs might start doing persistent or transient masking of naming identifiers (such as the user selected openid).

Nat, are you asserting that the semantics of your correlation mitigation mode are identical, semantically, with some of the SAML "format" controls?

Should I being expect another OpenID extension spec to be in the works, where the RP can start to specify which correlation mode (SAML2.format) it wants the OP to enforce (and the OP can signal back exceptions if it unable to perform).

I dont mind this kind of SAML and OpenID convergence. At the same time, we shoudl be clear what is going on. Id be worried if we only in openid implmented a subset of the controls for any given SAML use case.

Providing op correlations, without also providing for RP signalling of format, and without the option for an RP to change the nameid for uncorrelated directed id... worries me. If we are going toreimplement a SAML flow, then fine. But lets do it formally and fully (with openid's nice easy syntax, and auth based on associations+https rather than connectionless PKI/sigs).

________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Nat Sakimura [n-sakimura at nri.co.jp]
Sent: Thursday, November 06, 2008 2:53 AM
To: Christian Scholz / Tao Takashi (SL)
Cc: Martin Atkins; OpenID List
Subject: Re: [OpenID] Correlating Identifiers

The current implementation that we are doing allows user to choose
non-correlating OpenIDs and correlating OpenIDs depending on the sites.
I believe that is the way it should be.

=nat

Christian Scholz / Tao Takashi (SL) wrote:
> Hi!
>
> On Thu, Nov 6, 2008 at 1:06 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>
>> Hi Nate -
>>
>> By default, Yahoo users get a single machine generated OpenID identifier
>> which is used at all RPs that the user signs into. Because the identifier is
>> not unique to the RP, the user can be identified across multiple sites.
>>
>> Prior to launching our OpenID service, Yahoo's policy with our proprietary
>> SSO service was to issue RP-specific identifiers to prevent RPs from sharing
>> data about the user and correlating user behavior across different sites.
>>
>> Based on our discussions with the OpenID community, we concluded that the
>> spirit of OpenID is to allow a user to reuse the same identity across the
>> net, which implied that we should not vary the identifier that is returned
>> to RPs. We believe that there is value in having an identifier with a
>> reputation attached to it, and that in the future, RPs may be able to take
>> the user's reputation into account to optimize the content and services
>> given to first time visitors.
>>
>
> We had this discussion quite a bit on the DataPortability chat a while
> back and I wonder if that's really working for everybody as maybe some
> people don't want to be aggregated into a single identity. I might
> want a different profile on different sites and those sites not to be
> able to aggregate it. So basically let the user decide.
>
> But then again it depends on your provider if you can e.g. use
> "yahoo.com" and not some personal identifier which then the site would
> have anyway. So maybe this problem is one step before OpenID and some
> service could allow you to attach different OpenIDs to the same set of
> profiles you usually choose from (so the data for you at least is
> still aggregated and centrally editable).
>
> Just a thought.
>
> -- Christian
>
>
>
>
>
>

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general