[OpenID] Convert claimed_id to pseudonym at RP, not OP

John Bradley ve7jtb at ve7jtb.com
Sat Sep 12 16:54:18 UTC 2009 

I managed to keep unsolicited positive assertions from being  
prohibited by the profile.

We have never done much with them other than some demos of OP bookmarks.

I think they are going to be more useful to people who are developing  
things like IDIB plugins.

In principal you may be able to chain IdP.

The thing that will catch you up is the TFAP not the technical profile.

The provider needs to prove via audit that there is a less than 1 in  
1024 chance of the account being brute forced during the lifetime of  
the primary authenticator token (password).

A IdP won't be able to say that if they don't know the password  
entropy policy of the upstream IdP.

If the upstream IdP are themselves certified I could see that argument  
perhaps working.

I would try and get it approved at least (Remember I have no authority  
over anything)

I don't know why this is better than binding multiple IdP to the same  
RP.  You still run the risk of the proxy going out of biz.

Remember we are talking about LoA 1 here.

The gov is not worried about people loosing access to these RP accounts.

According to OMB 04-04 a LoA 1 authentication can not be used to  
protect personal information.

We are taking about account customization bookmarking and other sorts  
of uses.

The other way of expressing LoA 1 is that you expect approx 1 in 1K  
accounts to be compromised.
The expectation is that they are not secure.  That is why identity  
proofing is considered almost counter productive at LoA 1.

There is no protection from Phishing, eavesdropping or any number of  
other things that are covered in higher LoA.

That isn't to say that openID can't be secure, only that LoA 1 doesn't  
require it to be very secure.

The basic principal is that RP's shouldn't store information that harm  
will come from it being disclosed or lost in LoA 1 applications.

That is why additional account recovery requirements were not part of  
the profile.

The profile mostly attempts to close the obvious security holes and  
provide for user privacy protection.
It constrains IdP on what they can do with the information they get  
about what Gov sites users visit etc.

It is only a first step.  A good one but only the first for openID.

John B.
On 2009-09-12, at 1:12 AM, Peter Williams wrote:

> One option to retain portability, especially since idp initiation is
> permitted, is to do idp chaining. To retain portability, users can
> assert to a non .gov rp, that links several of the user's ppids to one
> account, and which turns around and asserts a new ppid to the .gov  as
> a whitelisted/audited idp.
>
> The commercial op cannot object, as the profile considers end user
> info to be self asserted (not idp asserted). The .gov whitelisting
> rules might be set to deny this (even tho it does not prejudice the
> privacy policy of . Gov). It will be quite telling if they do....
>
> One cannot really judge the profile in the absence of the audit
> criteria.
>
>
>
> On Sep 9, 2009, at 10:48 PM, "Manger, James H" <James.H.Manger at team.telstra.com
>> wrote:
>
>>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list