[OpenID] Identity-less OpenID

Peter Williams pwilliams at rapattoni.com
Fri May 8 03:52:51 UTC 2009 

how did you intend folks to leverage the "security association", used when moving attributes around (in extensions)?

did you intend that identityless transactions were to be are tied to user intiation, or require user consent, or formalized delegation of consent?

(the spec says nothing on this score).

what it comes across as is (ignoring the attribute part, and just focussing on it applying to "stuff" in extensions yet to be defined ) that either an OP or RP can , subsequent to an identity transaction, initiate a new connection over an existing security association at any later time, leveraging the association and its handle in particular. That handle must exist, have been previously authenticated using either openid DH or have been authenticated using an external scheme, and be tied to some (verified) openid.

in addition to the handle and its openid binding, there is state in the crypto macs - in that the nonces and mac states at the end of the last identity or identity-less transaction MAY be the initial crypto state of the next identityless transaction - much as one statefully persists several read/write macs per channel when  resuming an SSL session, for a new SSL connection.

My own assumption when reading the spec was that there need be NO user initiation for  the OP and RP to use the existing state of handles, macs, nonces etc for identity-less transactions. Once  the handle has been authenticated and is bound to a openid (as a result of a initial identity transaction initiated by the controlling user), RPs and OP can THEN initiate information flows between themselves over that same stateful macs (i.e. the security association) withOUT initiation by or consent of the user. The rules defined in the extension would define all this - what one can and cannot do with such state.



________________________________________
From: Dick Hardt [dick.hardt at gmail.com]
Sent: Thursday, May 07, 2009 8:10 PM
To: Peter Williams
Cc: Johannes Ernst; Andrew Arnott; general
Subject: Re: [OpenID] Identity-less OpenID

On 7-May-09, at 9:33 AM, Peter Williams wrote:

> i have to admit, I know nothing about Sxip protocols or directions.
> Ive only ever followed standards. ONly through standards does one
> address scale and fair competition between vendors.

We were proposing the SXIP protocols to IETF.

>
>
> But, the feature was always intriguing. It implied, along with
> delegation, that openid protocol entities operating in a more
> advanced application context could be stateful over even multiple
> transactions.

I have no idea what you mean by stateful here.

The intent was to be able to only move attributes, or only store
attributes without also doing authentication.

More information about the general mailing list