[OpenID] Is OpenID privacy?

SitG Admin sysadmin at shadowsinthegarden.com
Mon Sep 22 21:09:27 UTC 2008 

>Should people remember his friend's OpenID.
>I  think they should. Because they access friend's space using friend's OpenID

Not clear on what you're saying here - is it that they *associate* 
their friend with their friend's actions by remembering their 
friend's OpenID, or that their friend's OP should also be a RP and 
accept logins to get in touch with their friend?

Getting in touch with friends at a 3rd-party "hub" site, entering 
friends' OpenID's in the "To:" field and identifying message sources 
in the "From:" field (as you suggest below), is also technically 
possible. Since many OP's are currently refusing to be RP's, this 
alternative may even be desirable ;)

The hub does count as a 3rd party for trust purposes, too, though; 
and if users began taking advantage of such hubs, their OP's might 
begin to support OpenID as RP's just to reduce the number of parties 
being trusted.

>Should Relying Party display user's OpenID to other user.
>I  think they should. Because other user need differentiate the 
>users in  Relying Party .

This is not always the case (I'll get to that in a moment). Users can 
be assigned (i.e., not choosing for themselves) a "local" username 
completely independent of their OpenID, this still enables users to 
differentiate between other users, while providing privacy outside 
the site (username assignation can be a random process localized to 
each RP, instead of contacting other RP's/OP's to say "What username 
should this OpenID have?") because there is no valid technical reason 
to connect "Tom" at one RP with "Tom" at another RP.

But really, *do* other users *need* to know who you are? This 
presumes some form of interaction between them, at the very least; if 
the RP is not set up to accept anything but content requests from the 
users, isolating users from one another on the site, there is no 
*need* to identify other users (since each user is dealing, through 
that site, only *with* the site, not with other users).

I use this setup on my own site, for security as much as privacy; my 
filtering rules are very simple and strict, and I do not need to 
escape user-generated content to protect users from one another.

>OpenID can avoid Spam.

In a specific sense (E-mail), yes; OpenID's are not required to 
include E-mail addresses (although the namespace overlaps for many 
hosting providers, even those which also act as their user's own OP, 
make for trivial conversion of URI to E-mail address), and the user 
might not even disclose their "real" E-mail address through Attribute 
Exchange, instead giving out one they would never check, effectively 
filtering all the spam for that address.

In a more abstract sense, though, spam has the effect of denial or 
deterioration of service; and in *that* respect, one can still "spam" 
an OpenID - using a (D)DoS attack on the servers hosting your URI so 
RP's can't even *find* the page, much less see which OP you wanted.

Let's assume you're *not* using a large company with more bandwidth 
than anyone can realistically hope to occupy; let's assume you're not 
even using a *small* company that hosts hundreds of tiny websites and 
is bewildered about why they are being targeted with this attack; 
let's assume you're one of those paranoid individuals who runs their 
own server out of their own house, over their own residential DSL 
line to the internet. (Dial-up could work too, I suppose; OpenID 
doesn't have very high bandwidth requirements, especially for the 
Identity-hosting site that just serves up one page per transaction.) 
Whichever is the case, you can be *certain* that you, and you alone, 
are the target of this attack. Do you go for a new IP number? How 
much good can this be until the RP is able to find your site by the 
domain name? (127.0.0.1/user is differentiated from localhost/user in 
OpenID, even if they *do* usually resolve to the same page.) 
Whereupon the DoS catches up - because your attackers, too, can use 
DNS.

This is where a PKI might prove useful; it would be nice to give the 
RP a URI but ask them to please use a specified IP number if they 
can't access the URI right away, keeping your server at that IP 
address but preventing it from correcting the DNS servers *just* yet 
:)

-Shade

More information about the general mailing list