[OpenID] "This is user's URI" for Assertion Quality Extension

Peter Williams pwilliams at rapattoni.com
Sat Sep 6 03:42:40 UTC 2008 

Im coming to the opinion that more is being made of the originality of op identifers that it merits. For years now, windows/ibm netbios domains have been known by domain names. For decades, without a nt/lan-manager token (aka session/cached credential), one would be prompted via ui to select not only a user name but a domain [name] (as discovered through netbios' master browser recognition). Given mpls, virtual routing domains and vpns, ldap forest discovery is hardly restricted to "lans" (and netbios ideas) these days. Its pretty wide area. Its a wan-scale internetwork notion (these days).

-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Friday, September 05, 2008 8:32 PM
To: Drummond Reed <drummond.reed at cordance.net>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] "This is user's URI" for Assertion Quality Extension


>So the RP would end up exactly the same identifier an RP would dicover if I
>logged in as =drummond.

I could keep track of which you entered, though this isn't covered
from within the spec. But this isn't very useful past OpenID v1.

>That's the way directed identity is designed to work. It's not necessarily
>about anonymity -- it's about letting the user choose their URI at the OP

That it *can* be used for anonymity is sufficient reason to begin
accounting for that usage in advance.

>It can and should be the user's choice what URIs
>he/she shares with what sites.

Choice is more like chaos without some knowledge to inform it. Being
able to detect what the user is doing and advise them of what that
*means* is akin to error reporting; it would be nice if OP's were
responsible for all of this, but we shouldn't rely on all OP's
sharing the same view of what qualifies as erroneous - nor can we
rely on them to inform RP's of user's choices when those RP's might
offer contradictory advice. When it comes to information warfare, I
prefer full and pre-emptive disclosure, but the challenge here is
getting information to the users when they won't go looking because
they know what they were told is right.

General principles aside, a RP should be able to inform a user *in
advance* of things like "If, later on, we see the URI you are using
here, but on some other site, we will raise the value of your
Identity accordingly, and grant you higher privileges on our site . .
. now, here are the consequences *we think* you should be aware of,
to doing so." - whatever is specific to that RP, instead of expecting
OP's to anticipate and keep track of everything so they can apprise
the user of the implications of their (the user's) decisions.

>If a site has a particular reason to know
>that a user has shared a particular URI with another particular site, that's
>different -- and the OpenID protocol could be used to prove that. But I
>don't think that's what you're asking.

True, this is more of a pre-emptive question:

>Obvious use case would be that psudonimous user wanting to be
>recognized as the same person as the previous visit but not willing to
>give up his privacy. Thisbis a classic use case in both XRI and Liberty.
>
>=nat at Tokyo via iPhone

I was a bit confused at first, thinking "This is what we have
already, not knowing if the user is 'anonymous' but being able to
identify them from session to session.", and then I realized the
application for pro-privacy^1 sites: being able to detect that a user
has an identifier which *could* be used, in the future, on other
sites - and warning them "If this site's records are compromised,
your main URI would be too, so we recommend you to use an anonymous
URI here and preserve your main URI for sites where you want that and
others to know you by the same digital identity."

Whereas, with a URI that isn't found on Google (yet), how could a RP
know whether it was seeing a unique URI that would only be used for
that RP, or a "real" URI that might later show up on other sites?

^1) As a pro-privacy site, I would probably alternate between
recommending new users to be anonymous and recommending them not to
be. Or both at the same time: "I tried entering my claimed_id and you
said it was safer to be anonymous, so I tried being anonymous and you
said that typing in my claimed_id would be better. Make up your mind!"

-Shade

Postscript: it might be helpful if I referenced Andrew Arnott's
message (on the general list) that inspired this?
http://openid.net/pipermail/general/2008-September/005453.html
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list