[OpenID] OpenID + Government

John Bradley john.bradley at wingaa.com
Tue Aug 11 19:59:59 UTC 2009 

Peter,

Unfortunately the need for pseudonymous identifiers directly conflicts  
with delegation.

You would be on the correct track to assume that if a particular RP  
has a requirement to not be able to correlate the user ID then  
Delegation would be prohibited.

In cases where pseudonymous identifiers are not required it is  
possible to have delegation as long as the OP that is delegated to is  
certified.   If you change delegated OP's your new OP would need to be  
certified  as well to have it work.

OPs themselves may not feel comfortable for liability reasons  
providing assertions for claimed_id that they are not authoritative for.

Your milage on delegation will very depending on the RP and the OP  
delegated too.

John B.

On 11-Aug-09, at 10:22 AM, openid-general-request at lists.openid.net  
wrote:

> Date: Tue, 11 Aug 2009 09:30:33 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: Re: [OpenID] OpenID + Government
> To: "J. Trent Adams" <jtrentadams at gmail.com>, Chris Messina
> 	<chris.messina at gmail.com>
> Cc: OpenID List <general at openid.net>
> Message-ID:
> 	<BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
>
> "That draft includes requirements that OpenID or related Info Card  
> identities not be used to authenticate people who are physically  
> present (it's just for remote online access), "
>
>
> given an openid is controlled by the user (not the provider), how  
> can any one provider assure the govt of this?
>
> The whole point of openid  (in contrast to incommon's version of  
> SAML2, say) is that the identity is controlled by the user. If the  
> google suspends or terminates the relationship with a given user  
> today (because Google claims the user violate their terms of  
> service), the use HAS to have the means to be access his/her Plaxo  
> RP account -- with no additional steps.
>
> Im going to guess that for any complying provider, they will have to  
> disable supprot for openid delegation, which allows one openid to be  
> used (a) in compliance with the draft requirements (when yahoo is  
> the TSP-certified OP selected by a .gov website), and (b) not in  
> compliance (when some non-certified OP "testing for and claiming  
> physical presence" is the OP select by some other, non .gov website).
>
> Since the architecture allows any 1 id through delegation to be  
> different things to different assertion consumers, the only way for  
> Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS  
> SUPPORT FOR OPENID DELEGATION (which google has already done,  
> apparently).
>
> We seem to be rapidly losing what openid is/was all about: user  
> empowerment and control.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090811/b0241ffb/attachment-0001.htm>

More information about the general mailing list