<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">SAML/ID-FF has long been criticized for its so-called 'panoptical' model, ie the IDP knowing too much.<br><br>Along with the 'trusting the IDP' argument, we've pointed out that while the IDP may know that you went to the SP, it wont (or at least shouldn't) know the details of what you did there. <br><br>FWIW, in Liberty's recent Advanced Client spec, we've introduced a model that weakens the real-time connection between the IDP and the SP (while maintaining the advantages of 3rd party asserted identity). But f course, once you allow for a client smarter than a browser, the rules change.<br><div><br>paul<br></div>-- <br>Paul
Madsen e:paulmadsen @
ntt-at.com<br>NTT p:613-482-0432<br>
m:613-302-1428<br> aim:PaulMdsn5<br> web:connectid.blogspot.com<div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><br><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;">----- Original Message ----<br>From: "Recordon, David" <drecordon@verisign.com><br>To: Dick Hardt
<dick@sxip.com><br>Cc: openid-general <general@openid.net><br>Sent: Wednesday, April 25, 2007 5:23:19 AM<br>Subject: Re: [OpenID] Anti-OpenID Campaign in Germany<br><br><div>Yes, what I found interesting though in the conversation I had is that<br>there is a feeling in parts of the World that an ISP shouldn't know<br>where you browse, your credit card company not know where you spend<br>money, and your telco not know who you call. Obviously this needs to be<br>balanced with what is achievable, though certainly illustrates some<br>cultural differences as OpenID is used around the World.<br><br>Awesome, didn't realize you were in Germany this week!<br><br>--David <br><br>-----Original Message-----<br>From: Dick Hardt [mailto:dick@sxip.com] <br>Sent: Wednesday, April 25, 2007 2:20 AM<br>To: Recordon, David<br>Cc: openid-general<br>Subject: Re: [OpenID] Anti-OpenID Campaign in Germany<br><br><br>OpenID as it stands now is a little leaky about where you
are going to<br>your OP (IP address of server fetching YADIS document), and given that<br>most people won't be able to run their own, there is some legitimacy to<br>the issue -- but I would argue that your ISP has a pretty good idea of<br>where you are going as well if they wanted to. <br>The user should select an OP that they trust to not abuse this<br>information.<br><br>btw: I'm in Germany right now for Web 2.0 Kongress. :-)<br><br>-- Dick<br><br>On 25-Apr-07, at 11:07 AM, Recordon, David wrote:<br><br>> Seems there are some campaigns<br>> (<a rel="nofollow" target="_blank" href="http://www.deltalima2.de/aktion-openid-nein-danke">http://www.deltalima2.de/aktion-openid-nein-danke</a> -- <br>> <a rel="nofollow" target="_blank" href="http://translate.google.com/translate?u=http%3A%2F">http://translate.google.com/translate?u=http%3A%2F</a>%<br>> 2F<a rel="nofollow" target="_blank" href="http://www.deltalima2.de%2">www.deltalima2.de%2</a><br>>
Faktion-openid-nein-danke&langpair=de%<br>>
7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=<br>> %2Flanguage_tools) against OpenID in parts of Europe which I think we <br>> need to take a look at.<br>><br>> Was talking with someone in Geneva yesterday who explained that his <br>> understanding of the problem is that there is a fear of OpenID if it <br>> means an OpenID Provider knows which relying parties you're <br>> interacting with and when. I explained that you can run your own <br>> provider as was discussed in a blog post today<br>> (<a rel="nofollow" target="_blank" href="http://www.bendodson.com/developer/news/2007/april/how-to-create">http://www.bendodson.com/developer/news/2007/april/how-to-create</a>-<br>> your-v<br>> ery-own-openid/), but it seems we need to do a better job of <br>> explaining this is possible. I know Sxip has also done some work on <br>> running an "identity agent" locally on your computer so that your <br>> provider
doesn't actually
know every time you're interacting with a <br>> RP.<br>><br>> Do people on this list have a better understanding of what the<br>> problem(s) is/are? Dick, Johannes, and I will also be in Munich the <br>> week after next for the 1st European Identity Conference<br>> (<a rel="nofollow" target="_blank" href="http://www.kuppingercole.de/eventformats/conference">http://www.kuppingercole.de/eventformats/conference</a>) and would love <br>> to chat about this in person as well. I'll also be in Brussels <br>> tomorrow and Friday at the Identity Open Space if anyone would like to<br><br>> talk then.<br>><br>> Thanks,<br>> --David<br>> _______________________________________________<br>> general mailing list<br>> general@openid.net<br>> <a rel="nofollow" target="_blank"
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br>><br>><br><br>_______________________________________________<br>general mailing list<br>general@openid.net<br><a rel="nofollow" target="_blank" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br></div></div><br></div></div></div></body></html>