<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>The idea of converting at the RP was considered.</div><div><br></div><div>The privacy regulations are written to protect the users from the Gov. (Americans what can you say)</div><div><br></div><div>If the gov RP get a correlatable identifier at all that potentially violates the "Privacy Impact Assessment" that they operate under.</div><div><br></div><div>We also had to mandate the use of login buttons so the user can't enter there ID, to meet the requirements.</div><div><br></div><div>We did decouple the PAPE request for a PPID from the overall profile.</div><div><br></div><div>This will allow RP's that are allowed to take correlatable info to still use the profile without the PPID.</div><div><br></div><div>That is governed by other regulations not the profile. </div><div><br></div><div>The profile gives RP the ability to ask for a non-correlatable identifier.</div><div><br></div><div>Would this be good for privacy in general if widely adopted?</div><div><br></div><div>Perhaps, but it is not the Governments intention to use the profile to fix openID in general, only to profile it so that it can be used in the GSA LoA 1 context.</div><div><br></div><div>Honestly there are a number of security holes in openID that are not addressed by this profile, because something else in the profile mitigates them. </div><div><br></div><div>We refrained from profiling aspects of openID that are not directly relevant to the profile as it is intended to be used. (I was tempted though)</div><div><br></div><div>Regards</div><div>John B.</div><br><div><div>On 2009-09-10, at 1:47 AM, <a href="mailto:openid-general-request@lists.openid.net">openid-general-request@lists.openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="font-family: monospace; ">Date: Thu, 10 Sep 2009 15:40:50 +1000<br>From: "Manger, James H" <<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>><br>Subject: [OpenID] Convert claimed_id to pseudonym at RP, not OP<br>To: "<a href="mailto:general@lists.openid.net">general@lists.openid.net</a>" <<a href="mailto:general@lists.openid.net">general@lists.openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:255B9BB34FB7D647A506DC292726F6E1122EAAE369@WSMSG3153V.srv.dir.telstra.com">255B9BB34FB7D647A506DC292726F6E1122EAAE369@WSMSG3153V.srv.dir.telstra.com</a>><br><span class="Apple-tab-span" style="white-space: pre; "> </span><br>Content-Type: text/plain; charset="utf-8"<br><br>John Bradley said:<br><br><blockquote type="cite">Yes I am an evil and loathsome person for violating the principals of UCI (Sorry about that)<br></blockquote><br><br><br><br><br>1. The USA Government has lots of rules about government sites collecting personally identifiable information (PII).<br><br>2. A vanity OpenID identifier used at lots of places would be considered PII.<br><br>3. Better adoption of OpenID would be achieved by USA Government sites if they can avoiding the burden of PII-related rules.<br><br><br><br>The solution in the USA Government?s OpenID profile is to require OPs to use directed identity: use per-RP pseudonyms for claimed_id, and no delegation. PAPE signals are mandated to indicate that this is occurring. A USA Government OP whitelist ensures only OPs that will not lie about the PAPE signals are accepted.<br><br><br><br>This seems a bit backwards. To satisfy an internal rule about PII at RPs the USA Government is putting requirements on external OPs.<br><br><br><br>Couldn?t USA Government RPs achieve a very similar affect by converting a claimed_id to a directed id themselves?<br><br>After performing OpenID authentication, an RP can hash the claimed_id, the RP?s name, and an RP secret to create a pseudonym to record in an account database. The pseudonym cannot be correlated with the pseudonyms created at other RPs. Collect the pseudonym and throw away the claimed_id ? wont that avoid the PII-related rules?<br><br><br><br><br><br>Violating the principals of user-centric identity (UCI) seems like an unnecessary and unfortunate design choice to address onerous PII rules for selected RPs.<br><br><br><br>Perhaps there are other motivations? Demanding directed identities may encourage their use at non-government RPs as well, which may raise the general level of privacy online. Is this an explicit value being promoted?<br><br><br><br><br><br><br><br><br><br>James Manger<br>James.H.Manger@team.telstra.com<<a href="mailto:James.H.Manger@team.telstra.com">mailto:James.H.Manger@team.telstra.com</a>><br>Identity and security team ? Chief Technology Office ? Telstra<br><br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <<a href="http://lists.openid.net/pipermail/openid-general/attachments/20090910/2ee8a838/attachment.htm">http://lists.openid.net/pipermail/openid-general/attachments/20090910/2ee8a838/attachment.htm</a>><br><br>------------------------------<br><br>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a></span></blockquote></div><br></body></html>