[OpenID] OpenID + Government

Peter Williams pwilliams at rapattoni.com
Tue Aug 11 22:24:44 UTC 2009 


Sent from my iPhone

On Aug 11, 2009, at 1:07 PM, "John Bradley" <john.bradley at wingaa.com<mailto:john.bradley at wingaa.com>> wrote:

Peter,

Unfortunately the need for pseudonymous identifiers directly conflicts with delegation.

You would be on the correct track to assume that if a particular RP has a requirement to not be able to correlate the user ID then Delegation would be prohibited.

I don't have a problem with that. This came along with openid 2 and law4 support.

The issue is: will provider accreditation enabling provider-controlled IDs to be used at some .gov sites (who deny openid has enough value for any serious transactions) now mean that ALL rp sites lose the uci benefits?

It seems that the likes of a yahoo op is being forced to choose: either uniformly pull delegation for any and all sites && use saml-style persistentids, or else lose .gov accreditation (which assesses the providers whole posture, not just interactions with .Gov).



In cases where pseudonymous identifiers are not required it is possible to have delegation as long as the OP that is delegated to is certified.   If you change delegated OP's your new OP would need to be certified  as well to have it work.

I want openid back ;-) I want uci!

I don't mind .gov imposing any rules they like for access to thier sites. But via accreditation for that scope they don't thereby get the power to influence what I do in a wider scope -with other rp sites - or limit my op choice to "certified" ops.

OPs themselves may not feel comfortable for liability reasons providing assertions for claimed_id that they are not authoritative for.

But in law4 with openid delegation they don't. Ops mint the very same response for a delegation or non delegation flow . It's upto the rp to correlate the uci and op persistent identifiers, using a post assertion round of discovery, retriving an xrd that is controlled by the user (not the op) and which asserts the users authority for the  op to speak for the uci name

Your milage on delegation will very depending on the RP and the OP delegated too.


 I know I'm losing. It's amazing openid kept up the pretence of a uci orientation as long as it did. But uci like xri did it's job: they sold a vision, got adoption wagons rolling for webscale websso,understanding that no megabrand would/could ever deliver it. Uci is antithetical to idp centric federations

With no xri resolution and no xrd discovery expressing the users authority to delegate, there is little now in openid that distinguishs it from low assurance saml.


John B.

On 11-Aug-09, at 10:22 AM, <mailto:openid-general-request at lists.openid.net> openid-general-request at lists.openid.net<mailto:openid-general-request at lists.openid.net> wrote:

Date: Tue, 11 Aug 2009 09:30:33 -0700
From: Peter Williams <<mailto:pwilliams at rapattoni.com>pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>>
Subject: Re: [OpenID] OpenID + Government
To: "J. Trent Adams" <<mailto:jtrentadams at gmail.com>jtrentadams at gmail.com<mailto:jtrentadams at gmail.com>>, Chris Messina
<<mailto:chris.messina at gmail.com>chris.messina at gmail.com<mailto:chris.messina at gmail.com>>
Cc: OpenID List <<mailto:general at openid.net>general at openid.net<mailto:general at openid.net>>
Message-ID:
<<mailto:BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com>BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com<mailto:BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com>>
Content-Type: text/plain; charset="us-ascii"


"That draft includes requirements that OpenID or related Info Card identities not be used to authenticate people who are physically present (it's just for remote online access), "


given an openid is controlled by the user (not the provider), how can any one provider assure the govt of this?

The whole point of openid  (in contrast to incommon's version of SAML2, say) is that the identity is controlled by the user. If the google suspends or terminates the relationship with a given user today (because Google claims the user violate their terms of service), the use HAS to have the means to be access his/her Plaxo RP account -- with no additional steps.

Im going to guess that for any complying provider, they will have to disable supprot for openid delegation, which allows one openid to be used (a) in compliance with the draft requirements (when yahoo is the TSP-certified OP selected by a .gov website), and (b) not in compliance (when some non-certified OP "testing for and claiming physical presence" is the OP select by some other, non .gov website).

Since the architecture allows any 1 id through delegation to be different things to different assertion consumers, the only way for Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS SUPPORT FOR OPENID DELEGATION (which google has already done, apparently).

We seem to be rapidly losing what openid is/was all about: user empowerment and control.

_______________________________________________
general mailing list
general at lists.openid.net<mailto:general at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list