[OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces support of the Government profile of OpenID

[John Bradley]

The last subsegment is generated in a pairwise fashion to prevent  
cross department linking specifically.

Various agencies operate under laws that prevent them from doing cross  
agency correlation.

If the RP want's to correlate they need to do it by asking for an  
attribute eg email.

The profile doesn't  require any identity or attribute vetting by the  
OP.  You are free to lie or not provide real information.   That is  
perfectly acceptable and anticipated for LoA 1.

The privacy part of the TFAP requires that users be able to decline  
returning attributes.

Unfortunately some OP's verify your email address and will return it  
to the RP if requested, only giving you the option of cancelling the  
login to prevent disclosure.

If you care about privacy there are OP's that allow you to control  
your attributes.  Use one of them.

If you don't care use the one I am not going to name.

John B.

On 2009-09-10, at 11:13 AM, openid-general-request at lists.openid.net  
wrote:

> Date: Thu, 10 Sep 2009 06:40:42 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces
> 	support of the Government profile of OpenID
> To: Markus Sabadello <markus.sabadello at gmail.com>, John Bradley
> 	<john.bradley at wingaa.com>
> Cc: "openid-general at lists.openid.net"
> 	<openid-general at lists.openid.net>
> Message-ID:
> 	<BFBC0F17A99938458360C863B716FE463DCE098350 at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I guess that the attempt to twist around the final i-number in the  
> list of segments is an attempt to have it act as the mandatory PPID:  
> a value that can accountlink to the government cross-agency id (and  
> thus implement the linking-semantics of SAML2's federated-name).
>
> But in SAML2, the user (not the IDP) gets to control the federated- 
> name (even for the PPID/persistent variant); unlinking it when  
> appropriate. Furthermore, the user  gets to choose which of several  
> IDP names can be account-linked (using PPIDs) to the common linking  
> record at the RP. Perversely, the user has more control in the SAML2  
> model than in the now UCI-less openid profile.
>
> This is the wrong thread to say this: but the profile is not  
> surviving the early shakedown test. I see its goals, tradeoffs and  
> compromises. They are articulated well enough and with enough  
> personality and passion for even me to suspend my normal assumption  
> of deception and double dealing at *anything* USG does in the  
> security/private arena. But, my gut is telling me that this profile  
> of openid really is sacrificing the soul of the entire movement to  
> win adoption. But, I;m also convinced from watching 3 years worth of  
> subtexts that this was always the end goal of the leadership:  
> dethrone SAML, usurp the crown, and do the same thing essentially  
> with lighterweight technology sold with UCI-themed badge on the  
> front -- to placate the plebs.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090910/bf186b82/attachment.htm>