<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The last subsegment is generated in a pairwise fashion to prevent cross department linking specifically.<div><br></div><div>Various agencies operate under laws that prevent them from doing cross agency correlation.</div><div><br></div><div>If the RP want's to correlate they need to do it by asking for an attribute eg email.</div><div><br></div><div>The profile doesn't require any identity or attribute vetting by the OP. You are free to lie or not provide real information. That is perfectly acceptable and anticipated for LoA 1.</div><div><br></div><div>The privacy part of the TFAP requires that users be able to decline returning attributes.</div><div><br></div><div>Unfortunately some OP's verify your email address and will return it to the RP if requested, only giving you the option of cancelling the login to prevent disclosure.</div><div><br></div><div>If you care about privacy there are OP's that allow you to control your attributes. Use one of them.</div><div><br></div><div>If you don't care use the one I am not going to name.</div><div><br></div><div>John B.</div><div><br><div><div>On 2009-09-10, at 11:13 AM, <a href="mailto:openid-general-request@lists.openid.net">openid-general-request@lists.openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="font-family: monospace; ">Date: Thu, 10 Sep 2009 06:40:42 -0700<br>From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Subject: Re: [OpenID] Fwd: [dotnetopenid] DotNetOpenAuth announces<br><span class="Apple-tab-span" style="white-space: pre; "> </span>support of the Government profile of OpenID<br>To: Markus Sabadello <<a href="mailto:markus.sabadello@gmail.com">markus.sabadello@gmail.com</a>>, John Bradley<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>><br>Cc: "<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>"<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:openid-general@lists.openid.net">openid-general@lists.openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:BFBC0F17A99938458360C863B716FE463DCE098350@simmbox01.rapnt.com">BFBC0F17A99938458360C863B716FE463DCE098350@simmbox01.rapnt.com</a>><br>Content-Type: text/plain; charset="us-ascii"<br><br>I guess that the attempt to twist around the final i-number in the list of segments is an attempt to have it act as the mandatory PPID: a value that can accountlink to the government cross-agency id (and thus implement the linking-semantics of SAML2's federated-name).<br><br>But in SAML2, the user (not the IDP) gets to control the federated-name (even for the PPID/persistent variant); unlinking it when appropriate. Furthermore, the user gets to choose which of several IDP names can be account-linked (using PPIDs) to the common linking record at the RP. Perversely, the user has more control in the SAML2 model than in the now UCI-less openid profile.<br><br>This is the wrong thread to say this: but the profile is not surviving the early shakedown test. I see its goals, tradeoffs and compromises. They are articulated well enough and with enough personality and passion for even me to suspend my normal assumption of deception and double dealing at *anything* USG does in the security/private arena. But, my gut is telling me that this profile of openid really is sacrificing the soul of the entire movement to win adoption. But, I;m also convinced from watching 3 years worth of subtexts that this was always the end goal of the leadership: dethrone SAML, usurp the crown, and do the same thing essentially with lighterweight technology sold with UCI-themed badge on the front -- to placate the plebs.<br><br></span></span></blockquote></div><br></div></body></html>