[OpenID] OpenID + Government

John Bradley john.bradley at wingaa.com
Wed Aug 12 00:04:19 UTC 2009 

OP's will not be required to change there behavior with non government  
sites or Gov sites that don't request a pseudonymous identifier.

Yes that requires a way for the RP to request a pseudonymous  
identifier when one is required.

You can assume that there will be a way to do that specified in the  
GSA profile for openID.

In openID 2.0 the OP is asserting a claimed_id that it has no control  
over when delegation is used.

You may be thinking openID 1.0 where the RP is responsible for  
remembering the discovered identifier.

In my case if I delegate http://thread-safe.net to Yahoo.

They return my http://thread-safe.net as my claimed ID as a signed  
element.

I don't have a problem with that, and the profile does not preclude  
that.

However any OP sending that assertion to a GSA RP must be in the GSA  
whitelist.

That limits who you can delegate too and have it work at a GSA site.    
You can choose a non certified OP but a GSA will not accept the  
assertion.

A fair amount of effort went into avoiding requiring OP's making  
changes that will affect non GSA RPs.

Yahoo will continue to support delegation and Google may add it  
(eventually).

I cant speak for ether of them but I can say that there is nothing in  
the GSA profile that will cause them to stop supporting delegation in  
general.

The internet is still safe for delegation.

John B.


On 11-Aug-09, at 3:24 PM, Peter Williams wrote:

>
>
> Sent from my iPhone
>
> On Aug 11, 2009, at 1:07 PM, "John Bradley" <john.bradley at wingaa.com<mailto:john.bradley at wingaa.com 
> >> wrote:
>
> Peter,
>
> Unfortunately the need for pseudonymous identifiers directly  
> conflicts with delegation.
>
> You would be on the correct track to assume that if a particular RP  
> has a requirement to not be able to correlate the user ID then  
> Delegation would be prohibited.
>
> I don't have a problem with that. This came along with openid 2 and  
> law4 support.
>
> The issue is: will provider accreditation enabling provider- 
> controlled IDs to be used at some .gov sites (who deny openid has  
> enough value for any serious transactions) now mean that ALL rp  
> sites lose the uci benefits?
>
> It seems that the likes of a yahoo op is being forced to choose:  
> either uniformly pull delegation for any and all sites && use saml- 
> style persistentids, or else lose .gov accreditation (which assesses  
> the providers whole posture, not just interactions with .Gov).
>
>
>
> In cases where pseudonymous identifiers are not required it is  
> possible to have delegation as long as the OP that is delegated to  
> is certified.   If you change delegated OP's your new OP would need  
> to be certified  as well to have it work.
>
> I want openid back ;-) I want uci!
>
> I don't mind .gov imposing any rules they like for access to thier  
> sites. But via accreditation for that scope they don't thereby get  
> the power to influence what I do in a wider scope -with other rp  
> sites - or limit my op choice to "certified" ops.
>
> OPs themselves may not feel comfortable for liability reasons  
> providing assertions for claimed_id that they are not authoritative  
> for.
>
> But in law4 with openid delegation they don't. Ops mint the very  
> same response for a delegation or non delegation flow . It's upto  
> the rp to correlate the uci and op persistent identifiers, using a  
> post assertion round of discovery, retriving an xrd that is  
> controlled by the user (not the op) and which asserts the users  
> authority for the  op to speak for the uci name
>
> Your milage on delegation will very depending on the RP and the OP  
> delegated too.
>
>
> I know I'm losing. It's amazing openid kept up the pretence of a uci  
> orientation as long as it did. But uci like xri did it's job: they  
> sold a vision, got adoption wagons rolling for webscale  
> websso,understanding that no megabrand would/could ever deliver it.  
> Uci is antithetical to idp centric federations
>
> With no xri resolution and no xrd discovery expressing the users  
> authority to delegate, there is little now in openid that  
> distinguishs it from low assurance saml.
>
>
> John B.
>
> On 11-Aug-09, at 10:22 AM, <mailto:openid-general-request at lists.openid.net 
> > openid-general-request at lists.openid.net<mailto:openid-general-request at lists.openid.net 
> > wrote:
>
> Date: Tue, 11 Aug 2009 09:30:33 -0700
> From: Peter Williams <<mailto:pwilliams at rapattoni.com>pwilliams at rapattoni.com 
> <mailto:pwilliams at rapattoni.com>>
> Subject: Re: [OpenID] OpenID + Government
> To: "J. Trent Adams" <<mailto:jtrentadams at gmail.com>jtrentadams at gmail.com 
> <mailto:jtrentadams at gmail.com>>, Chris Messina
> <<mailto:chris.messina at gmail.com>chris.messina at gmail.com<mailto:chris.messina at gmail.com 
> >>
> Cc: OpenID List <<mailto:general at openid.net>general at openid.net<mailto:general at openid.net 
> >>
> Message-ID:
> <<mailto:BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com 
> >BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com<mailto:BFBC0F17A99938458360C863B716FE463DCDF43EC4 at simmbox01.rapnt.com 
> >>
> Content-Type: text/plain; charset="us-ascii"
>
>
> "That draft includes requirements that OpenID or related Info Card  
> identities not be used to authenticate people who are physically  
> present (it's just for remote online access), "
>
>
> given an openid is controlled by the user (not the provider), how  
> can any one provider assure the govt of this?
>
> The whole point of openid  (in contrast to incommon's version of  
> SAML2, say) is that the identity is controlled by the user. If the  
> google suspends or terminates the relationship with a given user  
> today (because Google claims the user violate their terms of  
> service), the use HAS to have the means to be access his/her Plaxo  
> RP account -- with no additional steps.
>
> Im going to guess that for any complying provider, they will have to  
> disable supprot for openid delegation, which allows one openid to be  
> used (a) in compliance with the draft requirements (when yahoo is  
> the TSP-certified OP selected by a .gov website), and (b) not in  
> compliance (when some non-certified OP "testing for and claiming  
> physical presence" is the OP select by some other, non .gov website).
>
> Since the architecture allows any 1 id through delegation to be  
> different things to different assertion consumers, the only way for  
> Yahoo (say) to comply with the assurance draft is to ELIMINATE ITS  
> SUPPORT FOR OPENID DELEGATION (which google has already done,  
> apparently).
>
> We seem to be rapidly losing what openid is/was all about: user  
> empowerment and control.
>
> _______________________________________________
> general mailing list
> general at lists.openid.net<mailto:general at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list