[Openid-specs-ab] Attribute Exchange w/ OpenID Connect?
Nat Sakimura
sakimura at gmail.com
Sat Dec 1 04:01:09 UTC 2012
Interesting.
Perhaps we can define something that request anonymous or ephemeral
user_id, which will be different for every authentication request.
I suppose using "acr" would be good. We have defined 1,2,3,4, and will be
registered to IANA registry. Perhaps defining "anonymous" to the registry
would also be good.
Having said that: unless the user has explicitly opted out from cookie, the
RP can actually track the user pretty much on the device.
And, even if the RP does not use cookie, a browser typically has 11bits or
so of entropy, so it still can track the user pretty much.
Relying just on technology may be a bit misleading in this sense as it may
create a false impression of being not tracked.
Nat
On Sat, Dec 1, 2012 at 1:19 AM, Torsten Lodderstedt <torsten at lodderstedt.net
> wrote:
> We don't want the RP to track the user. So we would need to issue
> different user_id for every request. But I don't think is fit into the
> Connect philosophy.
>
> regards,
> Torsten.
>
> Am 30.11.2012 17:11, schrieb Justin Richer:
>
> Would using pairwise identifiers make this work?
>>
>> -- Justin
>>
>> On 11/30/2012 11:09 AM, Torsten Lodderstedt wrote:
>>
>>> Hi,
>>>
>>> in some cases we want to provide RPs with attributes but no user_id,
>>> which is similar to AX. How can this be realized in Connect? The scope
>>> value "openid" activates the OpenID mode at the AS but it also requests
>>> access to the user_id Claim. If we do not want to disclose a user_id, does
>>> this mean we need to define a new, distinct scope for our use case, e.g.
>>> "attribute_x"?
>>>
>>> regards,
>>> Torsten.
>>> ______________________________**_________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
>>> http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>>
>>
> ______________________________**_________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121201/61f8a335/attachment.html>
More information about the Openid-specs-ab
mailing list