[OpenID] OpenID on change.gov

Peter Williams pwilliams at rapattoni.com
Fri Nov 28 21:49:11 UTC 2008 

Ok. I've been corrected. discus is an  RP, not an OP.



I'm sighing relief, for the OpenID brand (and change.gov's credibility).



It was Passport's violation of EC data protection rules, all over again, for a moment, there.



------------



The ability for the discus.com value-adder (of commenting services) to correlate is a simple function of being an outsourcer of blog commenting services. It has nothing to do with being an OpenID function or some related sideeffect of the properties of verified identities (which was the claim/benefit).



The original claim implied that properties/benefits __of OpenID__  on that site facilitated the correlations being performed by the RP.



Obviously,  any outsourced vendor can cross-correlate data across its tenants. This is a function of the  outsourced failing to deliver/offer a credible assurance for the compartmentalization of tenant data.



So,



if there are identity-based access controls in place at the cross-correlator that RP site that says that release of the x-correlations is (a) dependent on recognizing citation of a verified-openid served by X list of correlator-trusted OPs, and (b) the search is predicated on you NOW showing youSTILL control THAT openid in order to invoke/release the cross-correlations report about THAT openid, then fine. This is indeed just an RP, accepting openids and doing data mining (in a non-compartmentalized dataset.)



The threat I described still exists (and is a simple function of collaborating RPs, andlack of compartmentalization), but at least it's NOT now a _property_ of the openid auth OP. It's a simple sideeffect of the fact that URLs can be recognized as  single identity.



In the SAML2 world, of course, one addresses this inate power of RPs to coordinate x-correlations -  presumably against your privacy interests - by exploiting persistent and transient nameid formats.


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Williams
Sent: Friday, November 28, 2008 1:20 PM
Cc: OpenID List
Subject: Re: [OpenID] OpenID on change.gov

Hold on. I don't see what is being specifically cited here as necessarily a benefit - and certainly not what OpenID is about, in its baseline assurances. What's being presented is a value-added service by an OP that goes beyond OpenID properties -and evidently discloses correlations/datamining to account holders (and possibly others).


Mainline site = OP = disqus.com = openid provisioner

RP site = change.gov = where citizens leave comments, verified or not (and verified by any openid1 OP, including disqus.com)

If disqus.com OP is used by user (versus some other OP), a citizen may optionally visit discus.com (acting as just an value-adding RP of its own OP service).

The RP discus.org datamines its OP-function logs, and presents a list of other-RP sites where - in its OP-function - it has previously delivered verified-openids.


So far, so good - as this is essentially the same as myopenid, its audit trial, and its configuration of per-RP attribute release policies.

------------

Beyond OpenID compliance, however:-

A. However discus.com RP goes one step further  in that it appears to know the specific comment URI for which, earlier, it deliver a verified openid to a "known" commenting site - an RP in the 'discus trust network", such as change.gov.

B. Either by dynamic de-reference or by OOB replication, the discus.com RP aggregates all the comments' texts associated with a verified openid and presents them for viewing.

I don't necessarily  like the properties of A and B. And I don't like them being labeled an "openID function"

I want an OP to normally ONLY know that RPx was the recipient of a verified id. I don't want it to have the ability to trace/track which _transaction_ on the RP it was applied to (e.g. some specific comment origination). And,  I certainly don't want it to BY DEFAULT cross-correlate the originated comments across many RPs.

For all I know, there could be a deal between RP change.gov and OP/RP discus.com that allows, under my account's terms of service, change.gov to also see some or all of the places where a verified id used on change.gov...has deposited comments elsewhere.

If I deliver some series of politically-incorrect comments on change.gov (and get, like Paul Newman, put onto a whitehouse enemies list for simply being too active, vocal or effective in argument), one can see the FBI or US Secret Service wanting to EASILY see the list of where else I've commented - to assess the threat level I pose.That threat level would normally be a function of my associations, which will include being associated with a commenting  site ...such as trots.org. I have no doubt discus.com would hand it over this list of associations in  an instant, without informing me - and do that irrespective of what the terms of service require, under the freedom of contact.


So, yes, we are clearly rapidly maturing! Evidently, some OPs are failing to segregate duties. Their opportunity to correlate is being bunded with identity-verification services. While it being sold as a UCI benefit, in reality it's much more likely to be being sold to the RPs, for a backroom fee. Even if that fee subsidizes valuable end-user services (just as Google's adwords correlations-based search revenue subsidizes all the "stuff" Google deliver "at no cost"), the conflagration of identity provider and value-added provider is dubious. The OP is no longer a _disinterested_ third party in your actions on the RP site(s).


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Chris Messina
Sent: Friday, November 28, 2008 12:47 PM
To: Sam Alexander
Cc: OpenID List
Subject: Re: [OpenID] OpenID on change.gov

To expand on this, the value in the Disqus and IntenseDebate systems is that a user can sign up for an account on either mainline site (centrally on disqus.com<http://disqus.com> or intensedebate.com<http://intensedebate.com>) and then reuse those accounts elsewhere.

Moreover, by using a verified identifier (without having to divulge one's password to an untrusted third party site), you can then go back to the mainline sites to see an aggregated view of the comments you've left on the sites that support any of these systems.

Of course it requires many sites and commenting forms to adopt either of these services, but it demonstrates a value of being able to leave a comment in the wild and then see follow up responses in one place (a user-centric value-add).

Chris
On Thu, Nov 27, 2008 at 6:25 PM, Sam Alexander <sam.alexander at vidoop.com<mailto:sam.alexander at vidoop.com>> wrote:
Eric, you are confusing adoption and usefulness. While you are right,
there are probably very few OpenID-backed comments, OpenID's
usefulness is an entirely different question.

OpenID remains a powerful extension of Identity on the web. While a
common username/email comment adds no RECIPROCAL value to the
commentor, an OpenID comment WOULD. It would allow that comment to be
attributed to a specific, verified URL owner.

While few of the 3,000 commentors may be aware of this value. The
added value still exists.

- Sam Alexander

On Nov 27, 2008, at 3:18 PM, Eric Norman <ejnorman at doit.wisc.edu<mailto:ejnorman at doit.wisc.edu>> wrote:

>
> On Nov 27, 2008, at 4:47 PM, Peter Williams wrote:
>
>> Its a request for comments: thats a classical use of openid: and no
>> authority is required to uniquely leave your/a (citable) web id
>> attached to your opinion. Its easy to fllowup with uou, given the
>> inherent linkback to the identity page.
>
> It appears that anyone can leave a comment without the OpenID
> stuff or without going through some registration process.
> Furthermore, I doubt if they have either the time or motivation
> to follow up on anything.  Nevertheless, they do provide you
> with a way to provide an optional email address.
>
> Hence, I'll repeat the question.  Why would anyone want to use
> OpenID here?  I seems to add nothing more than extra work.
>
> Or let me put it this way.  As of yesterday, there were close
> to 3,000 comments on health care.  How many of those do you
> think used OpenID to leave their comment?  I'll bet on close
> to zero.
>
>> If the founding openid culture doesn't fit with grassroots
>> commenting,
>> where does it fit!?
>
> Where it adds value.
>
> By the way Peter, it seem that your system is the one adding
> "LIKELY SPAM" to subject lines.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net<mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



--
Chris Messina
Citizen-Participant &
 Open Technology Advocate-at-Large
factoryjoe.com<http://factoryjoe.com> # diso-project.org<http://diso-project.org>
citizenagency.com<http://citizenagency.com> # vidoop.com<http://vidoop.com>
This email is:   [ ] bloggable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081128/e6e962c3/attachment-0002.htm>

More information about the general mailing list