[OpenID] DotNetOpenAuth announces support of the Government profile of OpenID
Andrew Arnott
andrewarnott at gmail.com
Wed Sep 9 22:46:09 UTC 2009
Inline below...
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Wed, Sep 9, 2009 at 3:37 PM, SitG Admin
<sysadmin at shadowsinthegarden.com>wrote:
> The profile is quite paranoid about not exposing any PII, and if the user
>> were allowed to enter anything, that might give away something about the
>> personal identity of the user. So instead, RPs must use the nascar OP
>> button display, which means all authentications begin with an OP identifier
>> (thus no delegation).
>>
>
> It instantly struck me as an odd concern, this "paranoia" when forcing
> users to communicate through an OP that probably required a LOT of PII from
> the user (and may provide it to "the government" upon request).
When I used "paranoid" it wasn't intended as a derogatory term, but rather
just the level of urgency with which they considered privacy.
> If your PII is in the chain, someone can trace back to you. (Vanity
> domains, to be fair, can be the same - and if you put bad information in the
> Owner field, you may have trouble proving your right to that domain, later
> on.)
>
Because according to the ICAM profile the OP must assert PPID claimed_id
values to the RP, they actually *aren't* traceable back to you, assuming the
OP doesn't store the generated claimed_ids, but rather regenerates them
using some kind of one-way hash of the openid.realm and openid.identity
values together with user-specific salt. It's mathematically difficult to
take the opaque claimed_id and reverse it back to the user who generated the
assertion.
>
> Does the profile permit multi-user OP's to make assertions about users for
> whom they have NOT collected any PII?
>
The profile makes no restrictions whatsoever (at least when I last read an
earlier draft) regarding what cares the OP has taken to identify the user if
I read it correctly.
>
> -Shade
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090909/900f5f69/attachment-0001.htm>
More information about the general
mailing list