[OpenID] "This is user's URI" for Assertion Quality Extension

George Fletcher gffletch at aol.com
Mon Sep 8 12:39:07 UTC 2008 

So I think the issue comes down to the fact that in OpenID the RP 
assumes all the "risk" of a transaction. To me 
http://openid.aol.com/gffletch is not different than a 2.0 pseudonymous 
identifier of http://openid.aol.com/asdjff92rasldkf2f339r. Both 
represent real users with a desire to use the RP in some way.

The RP has to decide (as you made the point) what it wants to allow or 
not allow.

The only real value in one identifier over the other is the ability to 
correlate that data with other RPs. There are multiple ways to handle 
the correlation issue even in a privacy friendly way but they are more 
complicated (e.g. Liberty Alliance People Service) than using global 
correlatable ids.

I could see AX being used to present information to an RP about the 
"validity" or "reputation" of an OpenID such that the RP could make 
decisions based on that data.  Or as you say, the RP could track 
activity of an identifier and increase user privileges as certain 
activities are completed.

The spec allows for all this... we just need some best practices. 
However, I'd prefer to not define best practices that rely on particular 
kinds of identifiers, but rather use attributes of the identifier to 
facilitate the desired use cases.

Thanks,
George

SitG Admin wrote:
>> So the RP would end up exactly the same identifier an RP would dicover if I
>> logged in as =drummond.
>>     
>
> I could keep track of which you entered, though this isn't covered 
> from within the spec. But this isn't very useful past OpenID v1.
>
>   
>> That's the way directed identity is designed to work. It's not necessarily
>> about anonymity -- it's about letting the user choose their URI at the OP
>>     
>
> That it *can* be used for anonymity is sufficient reason to begin 
> accounting for that usage in advance.
>
>   
>> It can and should be the user's choice what URIs
>> he/she shares with what sites.
>>     
>
> Choice is more like chaos without some knowledge to inform it. Being 
> able to detect what the user is doing and advise them of what that 
> *means* is akin to error reporting; it would be nice if OP's were 
> responsible for all of this, but we shouldn't rely on all OP's 
> sharing the same view of what qualifies as erroneous - nor can we 
> rely on them to inform RP's of user's choices when those RP's might 
> offer contradictory advice. When it comes to information warfare, I 
> prefer full and pre-emptive disclosure, but the challenge here is 
> getting information to the users when they won't go looking because 
> they know what they were told is right.
>
> General principles aside, a RP should be able to inform a user *in 
> advance* of things like "If, later on, we see the URI you are using 
> here, but on some other site, we will raise the value of your 
> Identity accordingly, and grant you higher privileges on our site . . 
> . now, here are the consequences *we think* you should be aware of, 
> to doing so." - whatever is specific to that RP, instead of expecting 
> OP's to anticipate and keep track of everything so they can apprise 
> the user of the implications of their (the user's) decisions.
>
>   
>> If a site has a particular reason to know
>> that a user has shared a particular URI with another particular site, that's
>> different -- and the OpenID protocol could be used to prove that. But I
>> don't think that's what you're asking.
>>     
>
> True, this is more of a pre-emptive question:
>
>   
>> Obvious use case would be that psudonimous user wanting to be
>> recognized as the same person as the previous visit but not willing to
>> give up his privacy. Thisbis a classic use case in both XRI and Liberty.
>>
>> =nat at Tokyo via iPhone
>>     
>
> I was a bit confused at first, thinking "This is what we have 
> already, not knowing if the user is 'anonymous' but being able to 
> identify them from session to session.", and then I realized the 
> application for pro-privacy^1 sites: being able to detect that a user 
> has an identifier which *could* be used, in the future, on other 
> sites - and warning them "If this site's records are compromised, 
> your main URI would be too, so we recommend you to use an anonymous 
> URI here and preserve your main URI for sites where you want that and 
> others to know you by the same digital identity."
>
> Whereas, with a URI that isn't found on Google (yet), how could a RP 
> know whether it was seeing a unique URI that would only be used for 
> that RP, or a "real" URI that might later show up on other sites?
>
> ^1) As a pro-privacy site, I would probably alternate between 
> recommending new users to be anonymous and recommending them not to 
> be. Or both at the same time: "I tried entering my claimed_id and you 
> said it was safer to be anonymous, so I tried being anonymous and you 
> said that typing in my claimed_id would be better. Make up your mind!"
>
> -Shade
>
> Postscript: it might be helpful if I referenced Andrew Arnott's 
> message (on the general list) that inspired this?
> http://openid.net/pipermail/general/2008-September/005453.html
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list