[OpenID] Convert claimed_id to pseudonym at RP, not OP

John Bradley ve7jtb at ve7jtb.com
Fri Sep 11 17:03:57 UTC 2009 

The idea of converting at the RP was considered.

The privacy regulations are written to protect the users from the Gov.  
(Americans what can you say)

If the gov RP get a correlatable identifier at all that potentially  
violates the "Privacy Impact Assessment"  that they operate under.

We also had to mandate the use of login buttons so the user can't  
enter there ID, to meet the requirements.

We did decouple the PAPE request for a PPID from the overall profile.

This will allow RP's that are allowed to take correlatable info to  
still use the profile without the PPID.

That is governed by other regulations not the profile.

The profile gives RP the ability to ask for a non-correlatable  
identifier.

Would this be good for privacy in general if widely adopted?

Perhaps,  but it is not the Governments intention to use the profile  
to fix openID in general, only to profile it  so that it can be used  
in the GSA LoA 1 context.

Honestly there are a number of security holes in openID that are not  
addressed by this profile, because something else in the profile  
mitigates them.

We refrained from profiling aspects of openID that are not directly  
relevant to the profile as it is intended to be used.  (I was tempted  
though)

Regards
John B.

On 2009-09-10, at 1:47 AM, openid-general-request at lists.openid.net  
wrote:

> Date: Thu, 10 Sep 2009 15:40:50 +1000
> From: "Manger, James H" <James.H.Manger at team.telstra.com>
> Subject: [OpenID] Convert claimed_id to pseudonym at RP, not OP
> To: "general at lists.openid.net" <general at lists.openid.net>
> Message-ID:
> 	<255B9BB34FB7D647A506DC292726F6E1122EAAE369 at WSMSG3153V.srv.dir.telstra.com 
> >
> 	
> Content-Type: text/plain; charset="utf-8"
>
> John Bradley said:
>
>> Yes I am an evil and loathsome person for violating the principals  
>> of UCI (Sorry about that)
>
>
>
>
>
> 1.       The USA Government has lots of rules about government sites  
> collecting personally identifiable information (PII).
>
> 2.       A vanity OpenID identifier used at lots of places would be  
> considered PII.
>
> 3.       Better adoption of OpenID would be achieved by USA  
> Government sites if they can avoiding the burden of PII-related rules.
>
>
>
> The solution in the USA Government?s OpenID profile is to require  
> OPs to use directed identity: use per-RP pseudonyms for claimed_id,  
> and no delegation. PAPE signals are mandated to indicate that this  
> is occurring. A USA Government OP whitelist ensures only OPs that  
> will not lie about the PAPE signals are accepted.
>
>
>
> This seems a bit backwards. To satisfy an internal rule about PII at  
> RPs the USA Government is putting requirements on external OPs.
>
>
>
> Couldn?t USA Government RPs achieve a very similar affect by  
> converting a claimed_id to a directed id themselves?
>
> After performing OpenID authentication, an RP can hash the  
> claimed_id, the RP?s name, and an RP secret to create a pseudonym to  
> record in an account database. The pseudonym cannot be correlated  
> with the pseudonyms created at other RPs. Collect the pseudonym and  
> throw away the claimed_id ? wont that avoid the PII-related rules?
>
>
>
>
>
> Violating the principals of user-centric identity (UCI) seems like  
> an unnecessary and unfortunate design choice to address onerous PII  
> rules for selected RPs.
>
>
>
> Perhaps there are other motivations? Demanding directed identities  
> may encourage their use at non-government RPs as well, which may  
> raise the general level of privacy online. Is this an explicit value  
> being promoted?
>
>
>
>
>
>
>
>
>
> James Manger
> James.H.Manger 
> @team.telstra.com<mailto:James.H.Manger at team.telstra.com>
> Identity and security team ? Chief Technology Office ? Telstra
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090910/2ee8a838/attachment.htm 
> >
>
> ------------------------------
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090911/44803508/attachment-0001.htm>

More information about the general mailing list