[Openid-specs-ab] Attribute Exchange w/ OpenID Connect?

Torsten Lodderstedt torsten at lodderstedt.net
Sat Dec 1 15:52:12 UTC 2012 

You are right, the RP may track the user by other means. Please see my answer to Eve's posting. I just don't want to reveal a user id to the RP.

Regards,
Torsten.



Nat Sakimura <sakimura at gmail.com> schrieb:

>Interesting.
>
>Perhaps we can define something that request anonymous or ephemeral
>user_id, which will be different for every authentication request.
>I suppose using "acr" would be good. We have defined 1,2,3,4, and will
>be
>registered to IANA registry. Perhaps defining "anonymous" to the
>registry
>would also be good.
>
>Having said that: unless the user has explicitly opted out from cookie,
>the
>RP can actually track the user pretty much on the device.
>And, even if the RP does not use cookie, a browser typically has 11bits
>or
>so of entropy, so it still can track the user pretty much.
>Relying just on technology may be a bit misleading in this sense as it
>may
>create a false impression of being not tracked.
>
>Nat
>
>
>On Sat, Dec 1, 2012 at 1:19 AM, Torsten Lodderstedt
><torsten at lodderstedt.net
>> wrote:
>
>> We don't want the RP to track the user. So we would need to issue
>> different user_id for every request. But I don't think is fit into
>the
>> Connect philosophy.
>>
>> regards,
>> Torsten.
>>
>> Am 30.11.2012 17:11, schrieb Justin Richer:
>>
>>  Would using pairwise identifiers make this work?
>>>
>>>  -- Justin
>>>
>>> On 11/30/2012 11:09 AM, Torsten Lodderstedt wrote:
>>>
>>>> Hi,
>>>>
>>>> in some cases we want to provide RPs with attributes but no
>user_id,
>>>> which is similar to AX. How can this be realized in Connect? The
>scope
>>>> value "openid" activates the OpenID mode at the AS but it also
>requests
>>>> access to the user_id Claim. If we do not want to disclose a
>user_id, does
>>>> this mean we need to define a new, distinct scope for our use case,
>e.g.
>>>> "attribute_x"?
>>>>
>>>> regards,
>>>> Torsten.
>>>> ______________________________**_________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.**net
><Openid-specs-ab at lists.openid.net>
>>>>
>http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>>>
>>>
>> ______________________________**_________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
>>
>http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>
>
>
>
>-- 
>Nat Sakimura (=nat)
>Chairman, OpenID Foundation
>http://nat.sakimura.org/
>@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121201/4eb798fa/attachment.html>

More information about the Openid-specs-ab mailing list