[OpenID] Convert claimed_id to pseudonym at RP, not OP

Manger, James H James.H.Manger at team.telstra.com
Thu Sep 10 05:40:50 UTC 2009 

John Bradley said:

> Yes I am an evil and loathsome person for violating the principals of UCI (Sorry about that)





1.       The USA Government has lots of rules about government sites collecting personally identifiable information (PII).

2.       A vanity OpenID identifier used at lots of places would be considered PII.

3.       Better adoption of OpenID would be achieved by USA Government sites if they can avoiding the burden of PII-related rules.



The solution in the USA Government’s OpenID profile is to require OPs to use directed identity: use per-RP pseudonyms for claimed_id, and no delegation. PAPE signals are mandated to indicate that this is occurring. A USA Government OP whitelist ensures only OPs that will not lie about the PAPE signals are accepted.



This seems a bit backwards. To satisfy an internal rule about PII at RPs the USA Government is putting requirements on external OPs.



Couldn’t USA Government RPs achieve a very similar affect by converting a claimed_id to a directed id themselves?

After performing OpenID authentication, an RP can hash the claimed_id, the RP’s name, and an RP secret to create a pseudonym to record in an account database. The pseudonym cannot be correlated with the pseudonyms created at other RPs. Collect the pseudonym and throw away the claimed_id – wont that avoid the PII-related rules?





Violating the principals of user-centric identity (UCI) seems like an unnecessary and unfortunate design choice to address onerous PII rules for selected RPs.



Perhaps there are other motivations? Demanding directed identities may encourage their use at non-government RPs as well, which may raise the general level of privacy online. Is this an explicit value being promoted?









James Manger
James.H.Manger at team.telstra.com<mailto:James.H.Manger at team.telstra.com>
Identity and security team — Chief Technology Office — Telstra

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090910/2ee8a838/attachment-0001.htm>

More information about the general mailing list